This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
) j must be the least upper bound.
2 Ag, mK (<>')
The Iteration Operator The iteration operator is interpreted as the re exive transitive closure operator on
binary relations. It is the means by which iteration is coded in PDL. This operator diers from the other operators in that it is in nitary in nature, as re ected by its semantics: [ mK ( ) = mK () = mK ()n n
(see Section 5.2). This introduces a level of complexity to PDL beyond the other operators. Because of it, PDL is not compact: the set f< >'g [ f:'; :<>'; :<2 >'; : : : g (5.6.1) is nitely satis able but not satis able. Because of this in nitary behavior, it is rather surprising that PDL should be decidable and that there should be a nitary complete axiomatization. The properties of the operator of PDL come directly from the properties of the re exive transitive closure operator on binary relations, as described in Section 1.3 and Exercises 1.12 and 1.13. In a nutshell, for any binary relation R, R is the -least re exive and transitive relation containing R. Theorem 5.15:
The following are valid formulas of PDL:
(i) [ ]' ! ' (ii) ' ! < >' (iii) [ ]' ! []' (iv) <>' ! < >' (v) [ ]' $ [ ]' (vi) < >' $ < >' (vii) [ ]' $ []' (viii) < >' $ <>' (ix) [ ]' $ ' ^ [][ ]'.
MIT Press Math7X9/2000/06/30:10:36 Page 182
182
Chapter 5
(x) < >' $ ' _ <>< >'. (xi) [ ]' $ ' ^ [ ](' ! []'). (xii) < >' $ ' _ < >(:' ^ <>'). Proof These properties follow immediately from the semantics of PDL (Section 5.2) and the properties of re exive transitive closure (Exercises 1.7, 1.12, and 1.13).
Semantically, is a re exive and transitive relation containing , and Theorem 5.15 captures this. That is re exive is captured in (ii); that it is transitive is captured in (vi); and that it contains is captured in (iv). These three properties are captured by the single property (x).
Re exive Transitive Closure and Induction
To prove properties of iteration, it is not enough to know that is a re exive and transitive relation containing . So is the universal relation K K , and that is not very interesting. We also need some way of capturing the idea that is the least re exive and transitive relation containing . There are several equivalent ways this can be done:
(RTC) The re exive transitive closure rule : (' _ <> ) ! < >' ! (LI) ! [] ! [ ]
The loop invariance rule :
(IND) The induction axiom (box form): ' ^ [ ](' ! []') ! [ ]' (IND) The induction axiom (diamond form): < >' ! ' _ < >(:' ^ <>')
MIT Press Math7X9/2000/06/30:10:36 Page 183
Propositional Dynamic Logic
183
The rule (RTC) is called the re exive transitive closure rule . Its importance is best described in terms of its relationship to the valid PDL formula of Theorem 5.15(x). Observe that the right-to-left implication of this formula is obtained by substituting < >' for R in the expression
' _ <>R ! R:
(5.6.2)
Theorem 5.15(x) implies that < >' is a solution of (5.6.2); that is, (5.6.2) is valid when < >' is substituted for R. The rule (RTC) says that < >' is the least such solution with respect to logical implication. That is, it is the least PDL-de nable set of states that when substituted for R in (5.6.2) results in a valid formula. The dual propositions labeled (IND) are jointly called the PDL induction axiom . Intuitively, the box form of (IND) says, \If ' is true initially, and if, after any number of iterations of the program , the truth of ' is preserved by one more iteration of , then ' will be true after any number of iterations of ." The diamond form of (IND) says, \If it is possible to reach a state satisfying ' in some number of iterations of , then either ' is true now, or it is possible to reach a state in which ' is false but becomes true after one more iteration of ." As mentioned in Section 5.5, the box form of (IND) bears a strong resemblance to the induction axiom of Peano arithmetic:
'(0) ^ 8n ('(n) ! '(n + 1)) ! 8n '(n): In Theorem 5.18 below, we argue that in the presence of the other axioms and rules of PDL, the rules (RTC), (LI), and (IND) are interderivable. First, however, we argue that the rule (RTC) is sound. The soundness of (LI) and (IND) will follow from Theorem 5.18. Theorem 5.16:
The re exive transitive closure rule (RTC) is sound.
Proof We need to show that in any model K, if mK (') mK ( ) and mK (<> ) mK ( ), then mK (< >') mK ( ). We show by induction on n that mK (<n >') mK ( ). Certainly mK (') = mK (<skip>'), since mK (skip) = , and is an identity for relational composition (Exercise 1.2). By de nition, 0 = skip, so mK (<0 >') mK ( ).
MIT Press Math7X9/2000/06/30:10:36 Page 184
184
Chapter 5
Now suppose mK (<n >') mK ( ). Then mK (<n+1 >') = mK (<><n >') mK (<> ) mK ( )
by the monotonicity of <> by assumption.
S
Thus for all n, mK (<n >') mK ( ). Since mK (< >') = n'), we have that mK (< >') mK ( ). The deductive relationship between the induction axiom (IND), the re exive transitive closure rule (RTC), and the rule of loop invariance (LI) is summed up in the following lemma and theorem. We emphasize that these results are purely proof-theoretic and independent of the semantics of Section 5.2. The monotonicity rules of Theorem 5.7(ii) and (iii) are derivable in PDL without the induction axiom. Lemma 5.17:
Proof This is really a theorem of modal logic. First we show that the rule of Theorem 5.7(iii) is derivable in PDL without induction. Assuming the premise ' ! and applying modal generalization, we obtain [](' ! ). The conclusion []' ! [] then follows from Axiom 5.5(ii) and modus ponens. The dual monotonicity rule, Theorem 5.7(ii), can be derived from (iii) by pure propositional reasoning.
In PDL without the induction axiom, the following axioms and rules are interderivable: Theorem 5.18:
the induction axiom (IND); the loop invariance rule (LI); the re exive transitive closure rule (RTC). Proof (IND) ! (LI) Assume the premise of (LI):
' !
[]':
By modal generalization,
[ ]('
! []');
MIT Press Math7X9/2000/06/30:10:36 Page 185
Propositional Dynamic Logic
185
thus
' ! ' ^ [ ](' ! []') ! [ ]': The rst implication is by propositional reasoning and the second is by (IND). By transitivity of implication (Example 3.7), we obtain
' !
[ ]';
which is the conclusion of (LI). (LI) ! (RTC) Dualizing (RTC) by purely propositional reasoning, we obtain a rule
! ' ^ [] ! [ ]'
(5.6.3)
equivalent to (RTC). It thus suces to derive (5.6.3) from (LI). From the premise of (5.6.3), we obtain by propositional reasoning the two formulas
! ' ! [] :
(5.6.4) (5.6.5)
Applying (LI) to (5.6.5), we obtain
! [ ] ;
which by (5.6.4) and monotonicity (Lemma 5.17) gives
! [ ]':
This is the conclusion of (5.6.3). (RTC) ! (IND) By Axiom 5.5(iii) and (vii) and propositional reasoning, we have
' ^ [ ](' ! []') ! ' ^ (' ! []') ^ [][ ](' ! []') ! ' ^ []' ^ [][ ](' ! []') ! ' ^ [](' ^ [ ](' ! []')): By transitivity of implication (Example 3.7),
' ^ [ ](' ! []') ! ' ^ [](' ^ [ ](' ! []')):
MIT Press Math7X9/2000/06/30:10:36 Page 186
186
Chapter 5
Applying (5.6.3), which we have argued is equivalent to (RTC), we obtain (IND):
' ^ [ ](' ! []') !
[ ]':
5.7 Encoding Hoare Logic Recall that the Hoare partial correctness assertion f'g f g is encoded as ' ! [] in PDL. The following theorem says that under this encoding, Dynamic Logic subsumes Hoare Logic. Theorem 5.19:
The following rules of Hoare Logic are derivable in PDL:
(i) Composition rule:
f'g fg; fg f g f'g ; f g
(ii) Conditional rule:
f' ^ g f g; f:' ^ g f g fg if ' then else f g (iii) While rule: f' ^ g f g f g while ' do f:' ^ g (iv) Weakening rule:
'0 ! '; f'g f g; f'0 g f 0 g
!
0
Proof We derive the while rule (iii) in PDL. The other Hoare rules are also derivable, and we leave them as exercises (Exercise 5.14). Assuming the premise
f' ^ g f g = (' ^ ) ! [] ; we wish to derive the conclusion
f g while ' do f:' ^ g =
! [('?; ) ; :'?](:' ^ ):
(5.7.1) (5.7.2)
MIT Press Math7X9/2000/06/30:10:36 Page 187
Propositional Dynamic Logic
187
Using propositional reasoning, (5.7.1) is equivalent to ! (' ! [] ); which by Axioms 5.5(v) and (vi) is equivalent to ! ['?; ] : Applying the loop invariance rule (LI), we obtain ! [('?; ) ] : By the monotonicity of [('?; ) ] (Lemma 5.17) and propositional reasoning, ! [('?; ) ](:' ! (:' ^ )); and by Axiom 5.5(vi), we obtain ! [('?; ) ][:'?](:' ^ ): By Axiom 5.5(v), this is equivalent to the desired conclusion (5.7.2).
5.8 Bibliographical Notes Burstall (1974) suggested using modal logic for reasoning about programs, but it was not until the work of Pratt (1976), prompted by a suggestion of R. Moore, that it was actually shown how to extend modal logic in a useful way by considering a separate modality for every program. The rst research devoted to propositional reasoning about programs seems to be that of Fischer and Ladner (1977, 1979) on PDL. As mentioned in the Preface, the general use of logical systems for reasoning about programs was suggested by Engeler (1967). Other semantics besides Kripke semantics have been studied; see Berman (1979); Nishimura (1979); Kozen (1979b); Trnkova and Reiterman (1980); Kozen (1980b); Pratt (1979b). Modal logic has many applications and a vast literature; good introductions can be found in Hughes and Cresswell (1968); Chellas (1980). Alternative and iterative guarded commands were studied in Gries (1981). Partial correctness assertions and the Hoare rules given in Section 5.7 were rst formulated by Hoare (1969). Regular expressions, on which the regular program operators are based, were introduced by Kleene (1956). Their algebraic theory was further investigated by Conway (1971). They were rst applied in the context of DL by Fischer and Ladner (1977, 1979). The axiomatization of PDL given in Axioms 5.5 was formulated by Segerberg (1977). Tests and converse were investigated by various
MIT Press Math7X9/2000/06/30:10:36 Page 188
188
Chapter 5
authors; see Peterson (1978); Berman (1978); Berman and Paterson (1981); Streett (1981, 1982); Vardi (1985b). Theorem 5.14 is due to Trnkova and Reiterman (1980).
Exercises 5.1. Prove Proposition 5.2. 5.2. A program is said to be semantically deterministic in a Kripke frame K if its traces are uniquely determined by their rst states. Show that if and are semantically deterministic in a structure K, then so are if ' then else and while ' do . 5.3. We say that two programs and are equivalent if they represent the same binary relation in all Kripke frames; that is, if mK () = mK ( ) for all K. Let p be an atomic proposition not occurring in or . Prove that and are equivalent i the PDL formula <>p $ < >p is valid. 5.4. Prove in PDL that the following pairs of programs are equivalent in the sense of Exercise 5.3. For (c), use the encodings (4.3.1) and (4.3.2) of Section 4.3 and reason in terms of the regular operators. (a) a(ba) (ab)a (b) (a [ b) (a b)a (c) while b do begin p;
end if b then begin
while c do q
p;
end
while b _ c do if c then q else p
5.5. Let be the program (5.4.1) of Example 5.3. Show that for any proposition ', the proposition ' $ []' is valid in the model K of that example. 5.6. Prove that the formula (5.4.2) of Example 5.4 is valid. Give a semantic
MIT Press Math7X9/2000/06/30:10:36 Page 189
Propositional Dynamic Logic
189
argument using the semantics of PDL given in Section 5.2, not the deductive system of Section 5.5. 5.7. Prove that the box and diamond forms of the PDL induction axiom are equivalent. See Section 5.6. 5.8. Prove that the following statements are valid:
! <; >' < >' $ < >' < >' $ ' _ <>' _ <>' _ _ <n;1 >' _ <n >': <>'
5.9. Prove that the following are theorems of PDL. Use Axiom System 5.5, do not reason semantically. (i) <>' ^ [] ! <>(' ^ ) (ii) <>(' _ ) $ <>' _ <> (iii) < [ >' $ <>' _ < >' (iv) < >' $ <>< >' (v) < ?>' $ ^ ' (vi) < >' $ ' _ < >' (vii) < >' ! ' _ < >(:' ^ <>'). (viii) < >' $ ' _ < >(:' ^ <>'). In the presence of the converse operator ; , (ix) <>[; ]' ! ' (x) <; >[]' ! '. 5.10. Give counterexamples showing that the converses of Theorem 5.6(iv){(vi) are not valid. 5.11. Supply the missing details in the proof of Corollary 5.9. 5.12. Show that Theorem 5.14 fails in PDL without the converse operator ; . Construct a Kripke model such that the operator is not continuous. 5.13. Let be a set of atomic programs and let be the set of nite-length strings
MIT Press Math7X9/2000/06/30:10:36 Page 190
190
Chapter 5
over . A regular expression over is a PDL program over with only operators [, , and ;. A regular expression denotes a set L() of strings in as follows:
L(a) def = fag; a 2 def L( ) = L() L( ) = fxy j x 2 L(); y 2 L( )g def L( [ ) = L() [ L( ) [ L( ) def = L()n ; n
where L()0 = f"g, L(n+1 ) = L(n ) L(), and " is the empty string. Let p be an atomic proposition. Prove that for any two regular expressions ; , L() = L( ) i <>p $ < >p is a theorem of PDL. 5.14. Prove that the composition, conditional, and weakening rules of Hoare Logic (Theorem 5.19(i), (ii), and (iv), respectively) are derivable in PDL.
MIT Press Math7X9/2000/06/30:10:36 Page 191
6 Filtration and Decidability In this chapter we will establish a small model property for PDL. This result and the technique used to prove it, called ltration , come directly from modal logic. The small model property says that if ' is satis able, then it is satis ed at a state in a Kripke frame with no more than 2j'j states, where j'j is the number of symbols of '. This immediately gives a naive decision procedure for the satis ability problem for PDL: to determine whether ' is satis able, construct all Kripke frames with at most 2j'j states and check whether ' is satis ed at some state in one of them. Considering only interpretations of the primitive formulas and primitive programs appearing in ', there are roughly 22 ' such models, so this algorithm is too inecient to be practical. A more ecient algorithm will be given in Chapter 8. j
j
6.1 The Fischer{Ladner Closure Many proofs in simpler modal systems use induction on the well-founded subformula relation. In PDL, the situation is complicated by the simultaneous inductive de nitions of programs and propositions and by the behavior of the operator, which make the induction proofs somewhat tricky. Nevertheless, we can still use the well-founded subexpression relation in inductive proofs. Here an expression can be either a program or a proposition. Either one can be a subexpression of the other because of the mixed operators [ ] and ?. We start by de ning two functions FL : ! 2 FL2 : f[]' j 2 ; ' 2 g ! 2
by simultaneous induction. The set FL(') is called the Fischer{Ladner closure of '. The ltration construction of Lemma 6.3 uses the Fischer{Ladner closure of a given formula where the corresponding proof for propositional modal logic would use the set of subformulas. The functions FL and FL2 are de ned inductively as follows: (a) FL(p) def = fpg, p an atomic proposition (b) FL(' ! ) def = f' ! g [ FL(') [ FL( ) def (c) FL(0) = f0g
MIT Press Math7X9/2000/06/30:10:36 Page 192
192
Chapter 6
(d) FL([]') def = FL2 ([]') [ FL(') (e) FL2 ([a]') def = f[a]'g, a an atomic program 2 (f) FL ([ [ ]') def = f[ [ ]'g [ FL2 ([]') [ FL2 ([ ]') (g) FL2 ([ ; ]') def = f[ ; ]'g [ FL2 ([][ ]') [ FL2([ ]') (h) FL2 ([ ]') def = f[ ]'g [ FL2 ([][ ]') def (i) FL2 ([ ?]') = f[ ?]'g [ FL( ). This de nition is apparently quite a bit more involved than for mere subexpressions. In fact, at rst glance it may appear circular because of the rule (h). The auxiliary function FL2 is introduced for the express purpose of avoiding any such circularity. It is de ned only for formulas of the form []' and intuitively produces those elements of FL([]') obtained by breaking down and ignoring '. Even after convincing ourselves that the de nition is noncircular, it may not be clear how the size of FL(') depends on the length of '. Indeed, the right-hand side of rule (h) involves a formula that is larger than the formula on the left-hand side. We will be able to establish a linear relationship by induction on the well-founded subexpression relation (Lemma 6.3). First we show a kind of transitivity property of FL and FL2 that will be useful in later arguments. Lemma 6.1:
(i) If 2 FL('), then FL() FL('). (ii) If 2 FL2 ([]'), then FL() FL2 ([]') [ FL('). Proof We prove (i) and (ii) by simultaneous induction on the well-founded subexpression relation. First we show (i), assuming by the induction hypothesis that (i) and (ii) hold for proper subexpressions of '. There are four cases, depending on the form of ': an atomic proposition p, ' ! , 0, or []'. We argue the second and fourth cases explicitly and leave the rst and third as exercises (Exercise 6.1). If 2 FL(' ! ), then by clause (b) in the de nition of FL, either = ' ! , 2 FL('), or 2 FL( ). In the rst case, FL() = FL(' ! ), and we are done. In the second and third cases, we have FL() FL(') and FL() FL( ), respectively, by the induction hypothesis (i). In either case, FL() FL(' ! ) by clause (b) in the de nition of FL. If 2 FL([]'), then by clause (d) in the de nition of FL, either 2
MIT Press Math7X9/2000/06/30:10:36 Page 193
Filtration and Decidability
193
FL2 ([]') or 2 FL('). In the former case, FL() FL2 ([]') [ FL(') by the induction hypothesis (ii). (The induction hypothesis holds here because is a proper subexpression of []'.) In the latter case, FL() FL(') by the induction hypothesis (i). Thus in either case, FL() FL([]') by clause (d) in the de nition of FL. Now we show (ii), again assuming that (i) and (ii) hold for proper subexpressions. There are ve cases, depending on the form of the program: an atomic program a, [ , ; , , or ?. We argue the third and fourth cases explicitly, leaving the remaining three as exercises (Exercise 6.1). If 2 FL2 ([ ; ]'), then by clause (g) in the de nition of FL2 , either
(A) = [ ; ]', (B) 2 FL2 ([][ ]'), or (C) 2 FL2 ([ ]'). In case (A), FL() = FL2 ([ ; ]') [ FL(') by clause (d) in the de nition of FL, and we are done. In case (B), we have FL() FL2([][ ]') [ FL([ ]') by the induction hypothesis (ii) = FL2([][ ]') [ FL2 ([ ]') [ FL(') by clause (d) in the de nition of FL 2 FL ([ ; ]') [ FL(') by clause (g) in the de nition of FL2 . In case (C), FL() FL2([ ]') [ FL(') by the induction hypothesis (ii) 2 FL ([ ; ]') [ FL(') by clause (g) in the de nition of FL2 . If 2 FL2([ ]'), then by clause (h) in the de nition of FL2 , either = [ ]' or 2 FL2 ([][ ]'). In the former case, FL() = FL2 ([ ]') [ FL(') by clause (d) in the de nition of FL. In the latter case, we have FL() FL2([][ ]') [ FL([ ]') = FL2([][ ]') [ FL2 ([ ]') [ FL(') FL2([ ]') [ FL(') by the induction hypothesis (ii) and clauses (d) and (h) in the de nition of FL and FL2 . The following closure properties of FL are straightforward consequences of
MIT Press Math7X9/2000/06/30:10:36 Page 194
194
Chapter 6
Lemma 6.1. Lemma 6.2:
(i) If [] 2 FL('), then 2 FL('). (ii) If [?] 2 FL('), then 2 FL('). (iii) If [ [ ] 2 FL('), then [] 2 FL(') and [ ] 2 FL('). (iv) If [ ; ] 2 FL('), then [][ ] 2 FL(') and [ ] 2 FL('). (v) If [ ] 2 FL('), then [][ ] 2 FL('). Proof Exercise 6.2. The following lemma bounds the cardinality of FL(') as a function of the length of '. Recall that #A denotes the cardinality of a set A. Let j'j and jj denote the length (number of symbols) of ' and , respectively, excluding parentheses. Lemma 6.3:
(i) For any formula ', #FL(') j'j. (ii) For any formula []', #FL2 ([]') jj. Proof The proof is by simultaneous induction on the well-founded subexpression relation. First we show (i). If ' is an atomic formula p, then #FL(p) = 1 = jpj: If ' is of the form ! , then #FL( ! ) 1 + #FL( ) + #FL() 1 + j j + jj by the induction hypothesis (i) = j ! j: The argument for ' of the form 0 is easy. Finally, if ' is of the form [] , then #FL([] ) #FL2 ([] ) + #FL( ) jj + j j by the induction hypothesis (i) and (ii)
j[] j:
Now we show (ii). If is an atomic program a, then #FL2 ([a]') = 1 = jaj:
MIT Press Math7X9/2000/06/30:10:36 Page 195
Filtration and Decidability
195
If is of the form [ , then #FL2 ([ [ ]') 1 + #FL2([ ]') + #FL2 ([ ]') 1 + j j + j j = j [ j: If is of the form ; , then #FL2 ([ ; ]') 1 + #FL2 ([ ][ ]') + #FL2 ([ ]') 1 + j j + j j = j ; j: If is of the form , then #FL2 ([ ]') 1 + #FL2 ([ ][ ]') 1 + j j = j j: Finally, if is of the form ?, then #FL2 ([ ?]') 1 + #FL( ) 1 + j j by the induction hypothesis (i) = j ?j:
6.2 Filtration and the Small Model Theorem Given a PDL proposition ' and a Kripke frame K = (K; mK ), we de ne a new frame K=FL(') = (K=FL('); mK=FL(') ), called the ltration of K by FL('), as follows. De ne a binary relation on states of K by: def u v () 8 2 FL(') (u 2 mK ( ) () v 2 mK ( )):
MIT Press Math7X9/2000/06/30:10:36 Page 196
196
Chapter 6
In other words, we collapse states u and v if they are not distinguishable by any formula of FL('). Let [u] K=FL(') mK=FL(')(p) mK=FL(')(a)
def
= = def = def = def
fv j v ug f[u] j u 2 K g f[u] j u 2 mK (p)g; p an atomic proposition f([u]; [v]) j (u; v) 2 mK (a)g; a an atomic program.
The map mK=FL(') is extended inductively to compound propositions and programs as described in Section 5.2. The following key lemma relates K and K=FL('). Most of the diculty in the following lemma is in the correct formulation of the induction hypotheses in the statement of the lemma. Once this is done, the proof is a fairly straightforward induction on the well-founded subexpression relation. Lemma 6.4 (Filtration Lemma): states of K.
Let K be a Kripke frame and let u; v be
(i) For all 2 FL('), u 2 mK ( ) i [u] 2 mK=FL(') ( ). (ii) For all [] 2 FL('), (a)if (u; v) 2 mK () then ([u]; [v]) 2 mK=FL(') (); (b)if ([u]; [v]) 2 mK=FL(') () and u 2 mK ([] ), then v 2 mK ( ). Proof The proof is by simultaneous induction on the well-founded subexpression relation. We start with (i). There are four cases, depending on the form of .
Case 1 For atomic propositions p 2 FL('), if u 2 mK(p), then by de nition of K=FL('), [u] 2 mK=FL(') (p). Conversely, if [u] 2 mK=FL(') (p), then there exists a u0 such that u0 u and u0 2 mK (p). But then u 2 mK (p) as well. Case 2 If ! 2 FL('), then by Lemma 6.1, both 2 FL(') and 2 FL('). By the induction hypothesis, (i) holds for and , therefore
s 2 mK ( ! ) () s 2 mK ( ) =) s 2 mK () () [s] 2 mK=FL(')( ) =) [s] 2 mK=FL(')() () [s] 2 mK=FL(')( ! ):
MIT Press Math7X9/2000/06/30:10:36 Page 197
Filtration and Decidability
197
Case 3 The case of 0 is easy. We leave the details as an exercise (Exercise 6.3). Case 4 If [] 2 FL('), we use the induction hypothesis for and . By Lemma 6.2(i), 2 FL('). By the induction hypothesis, (i) holds for and (ii) holds for []
. Using the latter fact, we have s 2 mK ([] ) =) 8t (([s]; [t]) 2 mK=FL(') () =) t 2 mK ( )) (6.2.1) by clause (b) of (ii). Conversely, 8t (([s]; [t]) 2 mK=FL(') () =) t 2 mK ( )) =) 8t ((s; t) 2 mK () =) t 2 mK ( )) (6.2.2) =) s 2 mK ([] ) by clause (a) of (ii). Then s 2 mK ([] ) () 8t (([s]; [t]) 2 mK=FL(') () =) t 2 mK ( )) by (6.2.1) and (6.2.2) () 8t (([s]; [t]) 2 mK=FL(') () =) [t] 2 mK=FL(')( )) by (i) for () [s] 2 mK=FL(')([] ): This completes the proof of (i). For (ii), there are ve cases, depending on the form of .
Case 1 For an atomic program a, part (a) of (ii) is immediate from the de nition of mK=FL(') (a). For part (b), if ([s]; [t]) 2 mK=FL(') (a), then by the de nition of mK=FL(') (a), there exist s0 s and t0 t such that (s0 ; t0 ) 2 mK (a). If s 2 mK ([a] ), then since s0 s and [a] 2 FL('), we have s0 2 mK ([a] ) as well, thus t0 2 mK ( ) by the semantics of [a]. But 2 FL(') by Lemma 6.2(i), and since t t0 , we have t 2 mK ( ). Case 2 For a test ?, by Lemma 6.2(ii) we have 2 FL('), thus (i) holds for by the induction hypothesis. Part (a) of (ii) is immediate from this. For (b), ([s]; [s]) 2 mK=FL(') (?) and s 2 mK ([?] ) =) [s] 2 mK=FL(') () and s 2 mK ( ! ) =) s 2 mK () and s 2 mK ( ! ) =) s 2 mK ( ):
MIT Press Math7X9/2000/06/30:10:36 Page 198
198
Chapter 6
Case 3 The case = [ is left as an exercise (Exercise 6.3). Case 4 For the case = ; , to show (a), we have by Lemma 6.2(iv) that [ ][ ] 2 FL(') and [ ] 2 FL('), so (a) holds for and ; then (s; t) 2 mK ( ; ) =) 9u (s; u) 2 mK ( ) and (u; t) 2 mK ( ) =) 9u ([s]; [u]) 2 mK=FL(') ( ) and ([u]; [t]) 2 mK=FL(') ( ) =) ([s]; [t]) 2 mK=FL(')( ; ): To show (b), we have by the induction hypothesis that (b) holds for [ ][ ] and [ ] . Then ([s]; [t]) 2 mK=FL(')( ; ) and s 2 mK ([ ; ] ) =) 9u ([s]; [u]) 2 mK=FL(') ( ); ([u]; [t]) 2 mK=FL(') ( ); and s 2 mK ([ ][ ] ) =) 9u ([u]; [t]) 2 mK=FL(') ( ) and u 2 mK ([ ] ) by (b) for [ ][ ] =) t 2 mK ( ) by (b) for [ ] :
Case 5 Finally, consider the case = . By Lemma 6.2(v), [ ][ ] 2 FL('), so we can assume that (ii) holds for [ ][ ] . (The induction hypothesis holds because is a proper subexpression of .) By part (a) of (ii), if (u; v) 2 mK ( ), then ([u]; [v]) 2 mK=FL(') ( ). Therefore if (s; t) 2 mK ( ), then there exist n 0 and t0 ; : : : ; tn such that s = t0 , (ti ; ti+1 ) 2 mK ( ) for 0 i < n, and tn = t. This implies that ([ti ]; [ti+1 ]) 2 mK=FL(')( ) for 0 i < n, therefore ([s]; [t]) = ([t0 ]; [tn ]) 2 mK=FL(') ( ). This establishes (a). To show (b), suppose ([s]; [t]) 2 mK=FL(')( ) and s 2 mK ([ ] ). Then there exist t0 ; : : : ; tn such that s = t0 , t = tn , and ([ti ]; [ti+1 ]) 2 mK=FL(')( ) for 0 i < n. We have that t0 = s 2 mK ([ ] ) by assumption. Now suppose ti 2 mK ([ ] ), i < n. Then ti 2 mK ([ ][ ] ). By the induction hypothesis for [ ][ ] 2 FL('), ti+1 2 mK ([ ] ). Continuing for n steps, we get t = tn 2 mK ([ ] ), therefore t 2 mK ( ), as desired. Using the ltration lemma, we can prove the small model theorem easily. Let ' be a satis able formula of PDL. Then ' is satis ed in a Kripke frame with no more than 2j'j states. Theorem 6.5 (Small Model Theorem):
Proof If ' is satis able, then there is a Kripke frame K and state u 2 K with
MIT Press Math7X9/2000/06/30:10:36 Page 199
Filtration and Decidability
199
u 2 mK ('). Let FL(') be the Fischer-Ladner closure of '. By the ltration lemma (Lemma 6.4), [u] 2 mK=FL(')('). Moreover, K=FL(') has no more states than the number of truth assignments to formulas in FL('), which by Lemma 6.3(i) is at most 2j'j.
It follows immediately that the satis ability problem for PDL is decidable, since there are only nitely many possible Kripke frames of size at most 2j'j to check, and there is a polynomial-time algorithm to check whether a given formula is satis ed at a given state in a given Kripke frame (Exercise 6.4). We will give a more ecient algorithm in Section 8.1.
6.3 Filtration over Nonstandard Models In Chapter 7 we will prove the completeness of a deductive system for PDL. The proof will also make use of the ltration lemma (Lemma 6.4), but in a somewhat stronger form. We will show that it also holds for nonstandard Kripke frames (to be de ned directly) as well as the standard Kripke frames de ned in Section 5.2. The completeness theorem will be obtained by constructing a nonstandard Kripke frame from terms, as we did for propositional and rst-order logic in Sections 3.2 and 3.4, and then applying the ltration technique to get a nite standard Kripke frame. A nonstandard Kripke frame is any structure N = (N; mN ) that is a Kripke frame in the sense of Section 5.2 in every respect, except that mN ( ) need not be the re exive transitive closure of mN (), but only a re exive, transitive binary relation containing mN () satisfying the PDL axioms for (Axioms 5.5(vii) and (viii)). In other words, we rescind the de nition
[ mN( ) def = mN ()n ; n0
(6.3.1)
and replace it with the weaker requirement that mN ( ) be a re exive, transitive binary relation containing mN() such that mN([ ]') = mN (' ^ [ ; ]') mN([ ]') = mN (' ^ [ ](' ! []')):
(6.3.2) (6.3.3)
Otherwise, N must satisfy all other requirements as given in Section 5.2. For
MIT Press Math7X9/2000/06/30:10:36 Page 200
200
Chapter 6
example, it must still satisfy the properties mN ( ; ) = mN () mN( ) [ mN ( ) mN()n : n0
A nonstandard Kripke frame standard if it satis es (6.3.1). According to our de nition, all standard Kripke frames are nonstandard Kripke frames, since standard Kripke frames satisfy (6.3.2) and (6.3.3), but not necessarily vice-versa (Exercise 7.3). It is easily checked that all the axioms and rules of PDL (Axiom System 5.5) are still sound over nonstandard Kripke frames. One consequence of this is that all theorems and rules derived in this system are valid for nonstandard frames as well as standard ones. In particular, we will use the results of Theorem 5.18 in the proof of Lemma 6.6 below. Let N be a nonstandard Kripke frame and let ' be a proposition. We can construct the nite standard Kripke frame N=FL(') exactly as before, and N=FL(') will have at most 2j'j states. Note that in N=FL('), the semantics of is de ned in the standard way using (6.3.1). The ltration lemma (Lemma 6.4) holds for nonstandard Kripke frames as well as standard ones: Lemma 6.6 (Filtration for Nonstandard Models): dard Kripke frame and let u; v be states of N.
Let N be a nonstan-
(i) For all 2 FL('), u 2 mN ( ) i [u] 2 mN=FL(') ( ). (ii) For all [] 2 FL('), (a)if (u; v) 2 mN () then ([u]; [v]) 2 mN=FL(') (); (b)if ([u]; [v]) 2 mN=FL(')() and u 2 mN ([] ), then v 2 mN ( ). Proof The argument is exactly the same as in the previous version for standard frames (Lemma 6.4) except for the cases involving . Also, part (b) of (ii) for the case = uses only the fact that N=FL(') is standard, not that N is standard, so this argument will hold for the nonstandard case as well. Thus the only extra work we need to do for the nonstandard version is part (a) of (ii) for the case = . The proof for standard Kripke frames K given in Lemma 6.4 depended on the fact that mK ( ) was the re exive transitive closure of mK (). This does not hold in nonstandard Kripke frames in general, so we must depend on the weaker induction axiom.
MIT Press Math7X9/2000/06/30:10:36 Page 201
Filtration and Decidability
201
For the nonstandard Kripke frame N, suppose (u; v) 2 mN( ). We wish to show that ([u]; [v]) 2 mN=FL(')( ), or equivalently that v 2 E , where
E def = ft 2 N j ([u]; [t]) 2 mN=FL(')( )g: There is a PDL formula E de ning E in N; that is, E = mN ( E ). This is because E is a union of equivalence classes de ned by truth assignments to the elements of FL('). The formula E is a disjunction of conjunctive formulas [t] , one for each equivalence class [t] contained in E . The conjunction [t] includes either or : for all 2 FL('), depending on whether the truth assignment de ning [t] takes value 1 or 0 on , respectively. Now u 2 E since ([u]; [u]) 2 mN=FL(') ( ). Also, E is closed under the action of mN (); that is, s 2 E and (s; t) 2 mN () =) t 2 E: (6.3.4) To see this, observe that if s 2 E and (s; t) 2 mN (), then ([s]; [t]) 2 mN=FL(') () by the induction hypothesis (ii), and ([u]; [s]) 2 mN=FL(')( ) by the de nition of E , therefore ([u]; [t]) 2 mN=FL(') ( ). By the de nition of E , t 2 E . These facts do not immediately imply that v 2 E , since mN ( ) is not necessarily the re exive transitive closure of mN (). However, since E = mN ( E ), (6.3.4) is equivalent to N E
! [] E :
Using the loop invariance rule (LI) of Section 5.6, we get N E
! [ ] E :
By Theorem 5.18, (LI) is equivalent to the induction axiom (IND). (The proof of equivalence was obtained deductively, not semantically, therefore is valid for nonstandard models.) Now (u; v) 2 mN ( ) by assumption, and u 2 E , therefore v 2 E . By de nition of E , ([u]; [v]) 2 mN=FL(') ( ).
6.4 Bibliographical Notes The ltration argument and the small model property for PDL are due to Fischer and Ladner (1977, 1979). Nonstandard Kripke frames for PDL were studied by Berman (1979, 1982), Parikh (1978a), Pratt (1979a, 1980a), and Kozen (1979c,b, 1980a,b, 1981b).
MIT Press Math7X9/2000/06/30:10:36 Page 202
202
Chapter 6
Exercises 6.1. Complete the proof of Lemma 6.1. For part (i), ll in the argument for the cases of an atomic proposition p and the constant proposition 0. For (ii), ll in the argument for the cases of an atomic program a and compound programs of the form [ and '?. 6.2. Prove Lemma 6.2. 6.3. Complete the proof of Lemma 6.4 by lling in the arguments for part (i), case 3 and part (ii), case 3. 6.4. Give a polynomial time algorithm to check whether a given PDL formula is satis ed at a given state in a given Kripke frame. Describe brie y the data structures you would use to represent the formula and the Kripke frame. Specify your algorithm at a high level and give a brief complexity analysis. 6.5. Prove that all nite nonstandard Kripke frames are standard.
MIT Press Math7X9/2000/06/30:10:36 Page 203
7 Deductive Completeness In Section 5.5 we gave a formal deductive system (Axiom System 5.5) for deducing properties of Kripke frames expressible in the language of PDL. For convenience, we collect the axioms and rules of inference here. To the right of each axiom or rule appears a reference to the proof of its soundness. Axioms of PDL (i) Axioms for propositional logic Section 3.2 (ii) [](' ! ) ! ([]' ! [] ) Theorem 5.6(iv) (iii) [](' ^ ) $ []' ^ [] Theorem 5.6(ii) (iv) [ [ ]' $ []' ^ [ ]' Theorem 5.8(ii) (v) [ ; ]' $ [][ ]' Theorem 5.10(ii) (vi) [ ?]' $ ( ! ') Theorem 5.11(ii) Theorem 5.15(ix) (vii) ' ^ [][ ]' $ [ ]' Theorem 5.15(xi) (viii) ' ^ [ ](' ! []') ! [ ]' In PDL with converse ; , we also include Theorem 5.13(i) (ix) ' ! []<; >' ; Theorem 5.13(ii) (x) ' ! [ ]<>'
Rules of Inference (MP) '; ' !
Section 3.2
(GEN) [']' Theorem 5.7(i). We write ` ' if the formula ' is provable in this deductive system. Recall from Section 3.1 that a formula ' is consistent if 0 :', that is, if it is not theV case that ` :'; that a nite set of formulas is consistent if its conjunction is consistent; and that an in nite set of formulas is consistent if every nite subset is consistent.
7.1 Deductive Completeness This deductive system is complete: all valid formulas are theorems. To prove this fact, we will use techniques from Section 3.2 to construct a nonstandard Kripke
MIT Press Math7X9/2000/06/30:10:36 Page 204
204
Chapter 7
frame from maximal consistent sets of formulas. Then we will use the ltration lemma for nonstandard models (Lemma 6.6) to collapse this nonstandard model to a nite standard model. Since our deductive system contains propositional logic as a subsystem, the following lemma holds. The proof is similar to the proof of Lemma 3.10 for propositional logic. Lemma 7.1:
Let be a set of formulas of PDL. Then
(i) is consistent i either [ f'g is consistent or [ f:'g is consistent; (ii) if is consistent, then is contained in a maximal consistent set. In addition, if is a maximal consistent set of formulas, then (iii) contains all theorems of PDL; (iv) if ' 2 and ' ! 2 , then 2 ; (v) ' _ 2 i ' 2 or 2 ; (vi) ' ^ 2 i ' 2 and 2 ; (vii) ' 2 i :' 62 ; (viii) 0 62 . Proof Exercise 7.1.
We also have an interesting lemma peculiar to PDL. Let and ; be maximal consistent sets of formulas and let be a program. The following two statements are equivalent: Lemma 7.2:
(a) For all formulas , if 2 ;, then <> 2 . (b) For all formulas , if [] 2 , then 2 ;. Proof (a) =) (b): []
2 =) <>: 62 by Lemma 7.1(vii) =) : 26 ; by (a) =) 2 ; by Lemma 7.1(vii).
MIT Press Math7X9/2000/06/30:10:36 Page 205
Deductive Completeness
205
(b) =) (a):
2 ; =) : 62 ; by Lemma 7.1(vii) =) []: 62 by (b) =) <> 2 by Lemma 7.1(vii). Now we construct a nonstandard Kripke frame N = (N; mN) as de ned in Section 6.3. The states N will be the maximal consistent sets of formulas. We will write s; t; u; : : : for elements of N and call them states, but bear in mind that every s 2 N is a maximal consistent set of formulas, therefore it makes sense to write ' 2 s. Formally, let N = (N; mN) be de ned by:
N def = fmaximal consistent sets of formulas of PDLg def mN(') = fs j ' 2 sg mN() def = f(s; t) j for all ', if ' 2 t, then <>' 2 sg = f(s; t) j for all ', if []' 2 s, then ' 2 tg: The two de nitions of mN() are equivalent by Lemma 7.2. Note that the de nitions of mN(') and mN () apply to all propositions ' and programs , not just the atomic ones; thus the meaning of compound propositions and programs is not de ned inductively from the meaning of the atomic ones as usual. However, mN ( ) will satisfy the axioms of , and all the other operators will behave in N as they do in standard models; that is, as if they were de ned inductively. We will have to prove this in order to establish that N is a nonstandard Kripke frame according to the de nition of Section 6.3. We undertake that task now. Lemma 7.3:
(i) mN(' ! ) = (N ; mN (')) [ mN ( ) (ii) mN(0) = ? (iii) mN ([]') = N ; mN() (N ; mN (')). Proof The equations (i) and (ii) follow from Lemma 7.1(iv) and (viii), respectively. It follows that mN(:') = N ; mN('); this is also a consequence of Lemma 7.1(vii).
MIT Press Math7X9/2000/06/30:10:36 Page 206
206
Chapter 7
For (iii), it suces to show that mN (<>') = mN () mN ('): We prove both inclusions separately. s 2 mN() mN(') () 9t (s; t) 2 mN () and t 2 mN (') () 9t (8 2 t <> 2 s) and ' 2 t =) <>' 2 s () s 2 mN(<>'): Conversely, suppose s 2 mN (<>'); that is, <>' 2 s. We would like to construct t such that (s; t) 2 mN () and t 2 mN ('). We rst show that the set f'g [ f j [] 2 sg (7.1.1) is consistent. Let f 1 ; : : : ; k g be an arbitrary nite subset of f j [] 2 sg. Then <>'
^ [] 1 ^ ^ []
k
2 s
by Lemma 7.1(vi), therefore <>(' ^ 1 ^ ^ k ) 2 s by Exercise 5.9(i) and Lemma 7.1(iii) and (iv). Since s is consistent, the formula <>(' ^ 1 ^ ^ k ) is consistent, therefore so is the formula
'^
1 ^ ^ k
by the rule (GEN). This says that the nite set f'; 1 ; : : : ; k g is consistent. Since these elements were chosen arbitrarily from the set (7.1.1), that set is consistent. As in the proof of Lemma 3.10, (7.1.1) extends to a maximal consistent set t, which is a state of N. Then (s; t) 2 mN () and t 2 mN (') by the de nition of mN () and mN ('), therefore s 2 mN () mN ('). Lemma 7.4:
(i) mN( [ ) = mN () [ mN( ) (ii) mN( ; ) = mN() mN( ) (iii) mN( ?) = f(s; s) j s 2 mN( )g.
MIT Press Math7X9/2000/06/30:10:36 Page 207
Deductive Completeness
207
In PDL with converse ; , (iv) mN(; ) = mN(); . Proof We argue (ii) and (iii) explicitly and leave the others as exercises (Exercise 7.2). For the reverse inclusion of (ii),
(u; v) 2 mN () mN ( ) () 9w (u; w) 2 mN() and (w; v) 2 mN ( ) () 9w 8' 2 v < >' 2 w and 8 2 w <> 2 u =) 8' 2 v <>< >' 2 u () 8' 2 v < ; >' 2 u () (u; v) 2 mN( ; ): For the forward inclusion, suppose (u; v) 2 mN( ; ). We claim that the set f' j []' 2 ug [ f< > j 2 vg (7.1.2) is consistent. Let
f'1 ; : : : ; 'k g f' j []' 2 ug f< > 1 ; : : : ; < > m g f< > j 2 vg be arbitrarily chosen nite subsets, and let ' = '1 ^ ^ 'k ; = 1 ^ ^ m: Then 2 v by Lemma 7.1(vi), and since (u; v) 2 mN ( ; ), we have by the de nition of mN ( ; ) that < ; > 2 u. Also []' 2 u, since []'
$ []'1 ^ ^ []'k
is a theorem of PDL, and the right-hand side is in u by Lemma 7.1(vi). It follows that []' ^ <>< > 2 u. By Exercise 5.9(i), <>(' ^ < > ) 2 u, thus by (GEN), ' ^ < > is consistent. But
` ' ^ < >
! '1 ^ ^ 'k ^ < > 1 ^ ^ < > m ;
so the right-hand side of the implication is consistent. As this was the conjunction of an arbitrary nite subset of (7.1.2), (7.1.2) is consistent, thus extends to a maximal consistent set w. By the de nition of mN() and mN ( ), (u; w) 2 mN() and
MIT Press Math7X9/2000/06/30:10:36 Page 208
208
Chapter 7
(w; v) 2 mN ( ), therefore (u; v) 2 mN() mN( ). For (iii), (s; t) 2 mN ( ?) () 8' 2 t < ?>' 2 s de nition of mN ( ?) () 8' 2 t ^ ' 2 s Exercise 5.9(v) () 8' 2 t 2 s and ' 2 s Lemma 7.1(vi) () t s and 2 s () t = s and 2 s since t is maximal () t = s and s 2 mN( ): Theorem 7.5: The structure N is a nonstandard Kripke frame according to the
de nition of Section 6.3.
Proof By Lemmas 7.3 and 7.4, the operators !, 0, [ ], ;, [, ; , and ? behave in N as in standard models. It remains to argue that the properties [ ]' $ ' ^ [ ; ]' [ ]' $ ' ^ [ ](' ! []') of the operator hold at all states. But this is immediate, since both these properties are theorems of PDL (Exercise 5.9), thus by Lemma 7.1(iii) they must be in every maximal consistent set. This guarantees that N satis es conditions (6.3.2) and (6.3.3) in the de nition of nonstandard Kripke frames. The de nition of the nonstandard Kripke frame N is independent of any particular '. It is a universal model in the sense that every consistent formula is satis ed at some state of N. Theorem 7.6 (Completeness of PDL):
If ' then ` '.
Proof Equivalently, we need to show that if ' is consistent, then it is satis ed in a standard Kripke frame. If ' is consistent, then by Lemma 7.1(ii), it is contained in a maximal consistent set u, which is a state of the nonstandard Kripke frame N constructed above. By the ltration lemma for nonstandard models (Lemma 6.6), ' is satis ed at the state [u] in the nite Kripke frame N=FL('), which is a standard Kripke frame by de nition.
MIT Press Math7X9/2000/06/30:10:36 Page 209
Deductive Completeness
209
7.2 Logical Consequences In classical logics, a completeness theorem of the form of Theorem 7.6 can be adapted to handle the relation of logical consequence ' j= between formulas because of the deduction theorem, which says
'`
() ` ' ! :
Unfortunately, the deduction theorem fails in PDL, as can be seen by taking = [a]p and ' = p. However, the following result allows Theorem 7.6, as well as Algorithm 8.2 of the next section, to be extended to handle the logical consequence relation: Let ' and be any PDL formulas. Then ' j= () j= [(a1 [ [ an ) ]' ! ; where a1 ; : : : ; an are all atomic programs appearing in ' or . Allowing in nitary conjunctions, if is a set of formulas in which only nitely many atomic programs appear, then ^ j= () j= f[(a1 [ [ an ) ]' j ' 2 g ! ; where a1 ; : : : ; an are all atomic programs appearing in or . Theorem 7.7:
We leave the proof of Theorem 7.7 as an exercise (Exercise 7.4).
7.3 Bibliographical Notes The axiomatization of PDL used here (Axiom System 5.5) was introduced by Segerberg (1977). Completeness was shown independently by Gabbay (1977) and Parikh (1978a). A short and easy-to-follow proof is given in Kozen and Parikh (1981). Completeness is also treated in Pratt (1978, 1980a); Berman (1979); Nishimura (1979). The completeness proof given here is from Kozen (1981a) and is based on the approach of Berman (1979); Pratt (1980a).
Exercises 7.1. Prove Lemma 7.1. (Hint. Study the proof of Lemma 3.10.)
MIT Press Math7X9/2000/06/30:10:36 Page 210
210
Chapter 7
7.2. Supply the missing proofs of parts (i) and (iv) of Lemma 7.4. 7.3. Prove that PDL is compact over nonstandard models; that is, every nitely satis able set of propositions is satis able in a nonstandard Kripke frame. Conclude that there exists a nonstandard Kripke frame that is not standard. 7.4. Prove Theorem 7.7.
MIT Press Math7X9/2000/06/30:10:36 Page 211
8 Complexity of PDL In this chapter we ask the question: how dicult is it to determine whether a given formula ' of PDL is satis able? This is known as the satis ability problem for PDL.
8.1 A Deterministic Exponential-Time Algorithm The small model theorem (Theorem 6.5) gives a naive deterministic algorithm for the satis ability problem: construct all Kripke frames of at most 2j'j states and check whether ' is satis ed at any state in any of them. Although checking whether a given formula is satis ed in a given state of a given Kripke frame can be done quite eciently (Exercise 6.4), the naive satis ability algorithm is highly inecient. For one thing, the models constructed are of exponential size in the length of the given formula; for another, there are 22O( ' ) of them. Thus the naive satis ability algorithm takes double exponential time in the worst case. Here we develop an algorithm that runs in deterministic single-exponential time. One cannot expect to get a much more ecient algorithm than this due to a corresponding lower bound (Corollary 8.6). In fact, the problem is deterministic exponential-time complete (Theorem 8.5). The algorithm attempts to construct the small model j
j
M = (M; mM ) = N=FL(')
described in the proof of Theorem 7.6 explicitly. Here N is the universal nonstandard Kripke frame constructed in Section 7.1 and M is the small model obtained by ltration with respect to '. If ' is satis able, then it is consistent, by the soundness of Axiom System 5.5; then ' will be satis ed at some state u of N, hence also at the state [u] of M. If ' is not satis able, then the attempt to construct a model will fail; in this case the algorithm will halt and report failure. Our approach will be to start with a superset of the set of states of M, then repeatedly delete states when we discover some inconsistency. This will give a sequence of approximations M0
M1 M2
converging to M. We start with the set M0 of all subsets
u FL(') [ f: j 2 FL(')g
MIT Press Math7X9/2000/06/30:10:36 Page 212
212
Chapter 8
such that for each 2 FL('), exactly one of or : is in u. (Alternatively, we could take M0 to be the set of truth assignments to FL(').) By Lemma 7.1(vii), each state s of N determines a unique element of M0 , namely
us def = s \ (FL(') [ f: j 2 FL(')g): Moreover, by the de nition of the equivalence relation of Section 6.2, [s] = [t] () s t () us = ut ; thus the map s 7! us is well-de ned on -equivalence classes and gives a one-to-one embedding [s] 7! us : M ! M0 . We henceforth identify the state [s] of M with its image us in M0 under this embedding. This allows us to regard M as a subset of M0 . However, there are some elements of M0 that do not correspond to any state of M, and these are the ones to be deleted. Now we are left with the question: how do we distinguish the sets us from those not corresponding to any state of M? This question is answered in the following lemma. Lemma 8.1:
Let u 2 M0 . Then u 2 M if and only if u is consistent.
Proof By Lemma 6.6(i), every us is consistent, because it has a model: it is satis ed at the state [s] of M. Conversely, if u 2 M0 is consistent, then by Lemma 7.1(ii) it extends to a maximal consistent set ub, which is a state of the nonstandard Kripke frame N; and by Lemma 6.6(i), [ub] is a state of M satisfying u.
We now construct a sequence of structures Mi = (Mi ; mMi ), i 0, approximating M. The domains Mi of these structures will be de ned below and will satisfy
M0 M1 M2 The interpretations of the atomic formulas and programs in Mi will be de ned in the same way for all i: def
= fu 2 Mi j p 2 ug (8.1.1) = f(u; v) 2 Mi2 j for all [a] 2 FL('), if [a] 2 u, then 2 vg:(8.1.2) The map mMi extends inductively in the usual way to compound programs and propositions to determine the frame Mi . mMi (p) mMi (a)
def
MIT Press Math7X9/2000/06/30:10:36 Page 213
Complexity of PDL
213
Here is the algorithm for constructing the domains Mi of the frames Mi . Algorithm 8.2:
Step 1 Construct M0. Step 2 For each u 2 M0, check whether u respects Axioms 5.5(i) and (iv){(vii),
all of which can be checked locally. For example, to check Axiom 5.5(iv), which says [
[ ]
$ [] ^ [ ] ;
check for any formula of the form [ [ ] 2 FL(') that [ [ ] 2 u if and only if both [] 2 u and [ ] 2 u. Let M1 be the set of all u 2 M0 passing this test. The model M1 is de ned by (8.1.1) and (8.1.2) above. Step 3 Repeat the following for i = 1; 2; : : : until no more states are deleted. Find a formula [] 2 FL(') and a state u 2 Mi violating the property (8.1.3) (8v ((u; v) 2 mMi () =) 2 v)) =) [] 2 u; that is, such that :[] 2 u, but for no v such that (u; v) 2 mMi () is it the case that : 2 v. Pick such an [] and u for which jj is minimum. Delete u from Mi to get Mi+1 . Step 3 can be justi ed intuitively as follows. To say that u violates the condition (8.1.3) says that u would like to go under to some state satisfying : , since u contains the formula :[] , which is equivalent to <>: ; but the left-hand side of (8.1.3) says that none of the states it currently goes to under want to satisfy : . This is evidence that u might not be in M, since in M every state w satis es every 2 w by Lemma 6.6(i). But u may violate (8.1.3) not because u 62 M, but because there is some other state v 62 M whose presence aects the truth of some subformula of [] . This situation can be avoided by choosing jj minimum. The algorithm must terminate, since there are only nitely many states initially, and at least one state must be deleted in each iteration of step 3 in order to continue. The correctness of this algorithm will follow from the following lemma. Note the similarity of this lemma to Lemmas 6.4 and 6.6. Let i 0, and assume that M Mi . Let 2 FL(') be such that every [] 2 FL() and u 2 Mi satisfy (8.1.3). (i) For all 2 FL() and u 2 Mi , 2 u i u 2 mMi ( ). (ii) For all [] 2 FL() and u; v 2 Mi , Lemma 8.3:
MIT Press Math7X9/2000/06/30:10:36 Page 214
214
Chapter 8
(a)if (u; v) 2 mM (), then (u; v) 2 mMi (); (b)if (u; v) 2 mMi () and [] 2 u, then 2 v. Proof The proof is by simultaneous induction on the subterm relation. (i) The basis for atomic p is by de nition as given in (8.1.1). The induction steps for ! and 0 are easy and are left as exercises (Exercise 8.1). For the case [] ,
2u =) 8v (u; v) 2 mMi () =) 2 v induction hypothesis (ii)(b) =) 8v (u; v) 2 mMi () =) v 2 mMi ( ) induction hypothesis (i) =) u 2 mMi ([] ):
[]
Conversely,
u 2 mMi ([] ) =) 8v (u; v) 2 mMi () =) v 2 mMi ( ) induction hypothesis (i) =) 8v (u; v) 2 mMi () =) 2 v =) [] 2 u by (8.1.3). (ii)(a) For the basis, let a be an atomic program. (u; v) 2 mM (a) =) 8 ([a] 2 FL(') and [a] 2 u) =) 2 v =) (u; v) 2 mMi (a) by (8.1.2). The case [ is left as an exercise (Exercise 8.1). For the case ; , (u; v) 2 mM ( ; ) () 9w 2 M (u; w) 2 mM () and (w; v) 2 mM ( ) =) 9w 2 Mi (u; w) 2 mMi () and (w; v) 2 mMi ( ) () (u; v) 2 mMi ( ; ): The second step uses the induction hypothesis and the fact that M Mi . The induction hypothesis holds for and because [][ ] 2 FL() and [ ] 2 FL() by Lemma 6.2(iv). The case follows from this case by iteration, and is left as an exercise (Exercise 8.1).
MIT Press Math7X9/2000/06/30:10:36 Page 215
Complexity of PDL
215
For the case ?, (u; v) 2 mM ( ?) () u = v and u 2 mM ( ) =) u = v and 2 u () u = v and u 2 mMi ( ) () (u; v) 2 mMi ( ?):
Lemma 6.6(i) induction hypothesis (i)
(ii)(b) For the basis, let a be an atomic program. Then (u; v) 2 mMi (a) and [a] 2 u =)
2 v by (8.1.2).
The cases [ and ; are left as exercises (Exercise 8.1). For the case , suppose (u; v) 2 mMi ( ) and [ ] 2 u. Then there exist u0 ; : : : ; un , n 0, such that u = u0 , v = un , and (ui ; ui+1 ) 2 mMi (), 0 i n ; 1. Also [][ ] 2 u0 , otherwise u0 would have been deleted in step 2. By the induction hypothesis (ii)(b), [ ] 2 u1 . Continuing in this fashion, we can conclude after n steps of this argument that [ ] 2 un = v. Then 2 v, otherwise v would have been deleted in step 2. Finally, for the case ?, if (u; v) 2 mMi ( ?) and [ ?] 2 u, then u = v and u 2 mMi ( ). By the induction hypothesis (i), 2 u. Thus 2 u, otherwise u would have been deleted in step 2. Note that Lemma 8.3(ii)(a) actually holds of [] 2 FL(') even if there exists u 2 Mi violating (8.1.3), provided jj is minimum. This is because the condition regarding (8.1.3) in the statement of the lemma holds on strict subformulas of , and that is all that is needed in the inductive proof of (ii)(a) for . This says that no u 2 M is ever deleted in step 3, since for u 2 M , 8v 2 Mi ((u; v) 2 mMi () =) 2 v) =) 8v 2 M ((u; v) 2 mM () =) 2 v) Lemma 8.3(ii)(a) () 8v 2 M ((u; v) 2 mM () =) v 2 mM ( )) Lemma 6.6(i) () u 2 mM ([] ) de nition of mM =) [] 2 u Lemma 6.6(i). Since every u 2 M passes the test of step 2 of the algorithm, and since no u 2 M is ever deleted in step 3, we have M Mi for all i 0. Moreover, when the algorithm terminates with some model Mn , by Lemma 8.3(i), every u 2 Mn is satis able, since it is satis ed by the state u in the model Mn ; thus Mn = M. We can now test the satis ability of ' by checking whether ' 2 u for some u 2 Mn .
MIT Press Math7X9/2000/06/30:10:36 Page 216
216
Chapter 8
Algorithm 8.2 can be programmed to run in exponential time without much diculty. The eciency can be further improved by observing that the minimal in the [] violating (8.1.3) in step 3 must be either atomic or of the form because of the preprocessing in step 2. This follows easily from Lemma 8.3. We have shown: There is an exponential-time algorithm for deciding whether a given formula of PDL is satis able. Theorem 8.4:
As previously noted, Theorem 7.7 allows this algorithm to be adapted to test whether one formula is a logical consequence of another.
8.2 A Lower Bound In the previous section we gave an exponential-time algorithm for deciding satis ability in PDL. Here we establish the corresponding lower bound. Theorem 8.5:
The satis ability problem for PDL is EXPTIME -complete.
Proof In light of Theorem 8.4, we need only show that PDL is EXPTIME -hard (see Section 2.3). We do this by constructing a formula of PDL whose models encode the computation of a given linear-space-bounded one-tape alternating Turing machine M on a given input x of length n over M 's input alphabet. We show how to de ne a formula AcceptsM;x involving the single atomic program Next, atomic propositions Symbolai and Stateqi for each symbol a in M 's tape alphabet, q a state of M 's nite control, and 0 i n, and an atomic proposition Accept. The formula AcceptsM;x will have the property that any satisfying Kripke frame encodes an accepting computation of M on x. In any such Kripke frame, states u will represent con gurations of M occurring in the computation tree of M on input x; the truth values of Symbolai and Stateqi at state u will give the tape contents, current state, and tape head position in the con guration corresponding to u. The truth value of the atomic proposition Accept will be 1 at u i the computation beginning in state u is an accepting computation according to the rules of alternating Turing machine acceptance (Section 2.1). Let ; be M 's tape alphabet and Q the set of states. We assume without loss of generality that the machine is 2O(n) -time bounded. This can be enforced by requiring M to count each step it takes on a separate track and to shut o after
MIT Press Math7X9/2000/06/30:10:36 Page 217
Complexity of PDL
217
cn steps, where cn bounds the number of possible con gurations of M on inputs of length n. There are at most ;n+2 Q (n + 2) such con gurations, and c can be chosen large enough that cn bounds this number.
We also assume without loss of generality that the input is enclosed in left and right endmarkers ` and a, respectively, that these symbols are never overwritten, and that M is constrained never to move to the left of ` nor to the right of a. Now we encode con gurations as follows. The atomic proposition Symbolai says, \Tape cell i currently has symbol a written on it." The atomic proposition Stateqi says, \The tape head is currently scanning tape cell i in state q." We also allow State`i and Stateri , where `; r 62 Q are special annotations used to indicate that the tape head is currently scanning a cell somewhere to the left or right, respectively, of cell i. \Exactly one symbol occupies every tape cell." ^ _ ^ (Symbolai ^ :Symbolbi ) 0in+1 a2;
b2; b6=a
\The symbols occupying the rst and last tape cells are the endmarkers ` and a, respectively." Symbol`0 ^ Symbolan+1 \The machine is in exactly one state scanning exactly one tape cell." _ _ q 0in+1 q2Q
^ ^ ^
^
Statei
_
(Stateqi ^
0in+1 q2Q[f`;rg
^
^
p2Q[f`;rg p6=q q (Statei ! State`i+1 )
0in q2Q[f`g
^
^
^
:Statepi )
1in+1 q2Q[frg
(Stateqi ! Stateri;1 ):
Let Config be the conjunction of these three formulas. Then u Config i u represents a con guration of M on an input of length n. Now we can write down formulas that say that M moves correctly. Here we use the atomic program Next to represent the binary next-con guration relation. For each (state, tape symbol) pair (q; a), let (q; a) be the set of all (state, tape symbol, direction) triples describing a possible action M can take when scanning symbol
MIT Press Math7X9/2000/06/30:10:36 Page 218
218
Chapter 8
a in state q. For example, if (p; b; ;1) 2 (q; a), this means that when scanning a tape cell containing a in state q, M can print b on that tape cell, move its head one cell to the left, and enter state p.
\If the tape head is not currently scanning cell i, then the symbol written on cell i does not change." ^ `
^
0in+1
a2;
((Statei _ Stateri ) !
(Symbolai ! [Next]Symbolai ))
\The machine moves according to its transition relation." ^ ^ ((Symbolai ^ Stateqi ) ! 0in+1 a2;
(
q2Q
^
(p;b;d)2(q;a)
^
^ Statepi+d ))
(8.2.1)
(Symbolbi ^ Statepi+d )))
(8.2.2)
[Next](
_
(p;b;d)2(q;a)
Note that when (q; a) = ?, clause (8.2.1) reduces to 1 and clause (8.2.2) reduces to [Next]0. This gures into the de nition of acceptance below. Let Move be the conjunction of these two formulas. Then u Move if the con gurations represented by states v such that (u; v) is in the relation denoted by Next are exactly the con gurations that follow from the con guration represented by u in one step according to the transition relation of M . We can describe the start con guration of the machine M on input x:
\The machine is in its start state s with its tape head scanning the left endmarker, and x = x1 xn is written on the tape." ^ States0 ^ Symbolxi i 1in
Let this formula be called Start. Finally, we can describe the condition of acceptance for alternating Turing machines. Let U Q be the set of universal states of M and let E Q be the set of existential states of M . Then Q = U [ E and U \ E = ?.
\If q is an existential state, then q leads to acceptance if at least one of its
MIT Press Math7X9/2000/06/30:10:36 Page 219
Complexity of PDL
219
successor con gurations leads to acceptance."
^
^
0in+1 q2E
(Stateqi ! (Accept $
(8.2.3)
\If q is a universal state, then q leads to acceptance if all its successor con gurations lead to acceptance." ^ ^ (Stateqi ! (Accept $ [Next]Accept)) 0in+1 q2U
(8.2.4)
Let Acceptance denote the conjunction of these two formulas. Recall from Section 2.1 that an accept con guration of M is a universal con guration with no next con guration and a reject con guration is an existential con guration with no next con guration. As observed above, when this occurs, clauses (8.2.1) and (8.2.2) reduce to 1 and [Next]0, respectively. In conjunction with Acceptance, this implies that Accept is always true at accept con gurations and always false at reject con gurations. Now let AcceptsM;x be the formula Start ^ [Next](Config ^ Move ^ Acceptance) ^ Accept: Then M accepts x if and only if AcceptsM;x is satis able. We have given an ecient reduction from the membership problem for linearspace alternating Turing machines to the problem of PDL satis ability. For EXPTIME -hardness, we need to give a reduction from the membership problem for polynomial-space alternating Turing machines, but essentially the same construction works. The only dierences are that instead of the bound n we use the bound nk for some xed constant k in the de nition of the formulas, and the formula Start is modi ed to pad the input out to length nk with blanks: States0 ^
^
1in
Symbolxi i ^
^
n+1ink
Symbolxiy :
Since the membership problem for alternating polynomial-space machines is EXPTIME -hard (Chandra et al. (1981)), so is the satis ability problem for PDL. There is a constant c > 1 such that the satis ability problem for PDL is not solvable in deterministic time cn= log n , where n is the size of the input formula. Corollary 8.6:
Proof An analysis of the construction of AcceptsM;x in the proof of Theorem
MIT Press Math7X9/2000/06/30:10:36 Page 220
220
Chapter 8
8.5 reveals that its length is bounded above by an log n for some constant a, where n = jxj, and the time to construct AcceptsM;x from x is at most polynomial in n. The number of symbols in ; and states in Q are constants and contribute at most a constant factor to the length of the formula. Now we can use the fact that the complexity class DTIME (2n ) contains a set A not contained in any complexity class DTIME (dn ) for any d < 2 (see Hopcroft and Ullman (1979)). Since A 2 DTIME (2n ), it is accepted by an alternating linearspace Turing machine M (Chandra et al. (1981); see Section 2.1). We can decide membership in A by converting a given input x to the formula AcceptsM;x using the reduction of Theorem 8.5, then deciding whether AcceptsM;x is satis able. Since jAcceptsM;x j an log n, if the satis ability problem is in DTIME (cn= log n ) for some constant c, then we can decide membership in A in time
nk + can log n= log(an log n) ; the term nk is the time required to convert x to AcceptsM;x, and the remaining term is the time required to decide the satis ability of AcceptsM;x. But, assuming a 1,
nk + can log n= log(an log n) nk + can log n= log n nk + can ; which for c < 21=a is asymptotically less than 2n . This contradicts the choice of A. It is interesting to compare the complexity of satis ability in PDL with the complexity of satis ability in propositional logic. In the latter, satis ability is NP -complete; but at present it is not known whether the two complexity classes EXPTIME and NP dier. Thus, as far as current knowledge goes, the satis ability problem is no easier in the worst case for propositional logic than for its far richer superset PDL.
8.3 Compactness and Logical Consequences As we have seen, current knowledge does not permit a signi cant dierence to be observed between the complexity of satis ability in propositional logic and in PDL. However, there is one easily veri ed and important behavioral dierence: propositional logic is compact , whereas PDL is not. Compactness has signi cant implications regarding the relation of logical con-
MIT Press Math7X9/2000/06/30:10:36 Page 221
Complexity of PDL
221
sequence. If a propositional formula ' is a consequence of a set ; of propositional formulas, then it is already a consequence of some nite subset of ;; but this is not true in PDL. Recall that we write ; ' and say that ' is a logical consequence of ; if ' satis ed in any state of any Kripke frame K all of whose states satisfy all the formulas of ;. That is, if K ;, then K '. An alternative intepretation of logical consequence, not equivalent to the above, is that in any Kripke frame, the formula ' holds in any state satisfying all formulas V in ;. Allowing in nite conjunctions, we might write this as ; ! ' . This is not V the same as ; ', since ; ! ' implies ; ', but not necessarily vice versa. A counterexample is provided by ; = fpg and ' = [a]p. However, if ; contains only nitely V many atomic programs, we can reduce the problem ; ' to the problem ;0 ! ' for a related ;0 , as shown in Theorem 7.7. Under either interpretation, compactness fails: Theorem 8.7: There is an in nite set of formulas ; and a formula ' such that V ; ! ' (hence ; '), but for no proper subset ;0 ; is it the case that V 0 0 ; ' (hence neither is it the case that ; ! ').
Proof Take
' def = p ! [a]q ; def = fp ! q; p ! [a]q; p ! [aa]q; : : : ; p ! [ai ]q; : : : g: V Then ; ! '. But for ;0 $ ;, say with p ! [ai ]q 2 ; ; ;0, consider a structure with states !, atomic program a interpreted as the successor relation, p true only at 0, and q false only at i. q q q q q :q q q p :p :p :p :p :p :p :p
s s s s s s s s -
-
-
-
-
-
-
-
0 1 2 i 0 Then all formulas of ; are true in all states of this model, but ' is false in state 0. As shown in Theorem 7.7, logical consequences ; ' for nite ; are no more dicult to decide than validity of single formulas. But what if ; is in nite? Here compactness is the key factor. If ; is an r.e. set and the logic is compact, then the consequence problem is r.e.: to check whether ; ', the nite subsets of ; can be
MIT Press Math7X9/2000/06/30:10:36 Page 222
222
Chapter 8
eectively enumerated, and checking ; ' for nite ; is a decidable problem. Since compactness fails in PDL, this observation does us no good, even when ; is known to be recursively enumerable. However, the following result shows that the situation is much worse than we might expect: even if ; is taken to be the set of substitution instances of a single formula of PDL, the consequence problem becomes very highly undecidable. This is a rather striking manifestation of PDL's lack of compactness. Let ' be a given formula. The set S' of substitution instances of ' is the set of all formulas obtained by substituting a formula for each atomic proposition appearing in '. Theorem 8.8:
problem
The problem of deciding whether S' particular xed '.
is 11 -hard even for a
is 11 -complete. The
Proof For the upper bound, it suces to consider only countable models. The problem is to decide whether for all countable Kripke frames M, if M S' , then M . The Kripke frame M is rst selected with universal second-order quanti cation, which determines the interpretation of the atomic program and proposition symbols. Once M is selected, the check that M S' =) M is rst-order: either M; u at all states u of M, or there exists a substitution instance '0 of ' and a state u of M such that M; u :'0 . For the lower bound, we encode (the complement of) the tiling problem of Proposition 2.22. The xed scheme ' is used to ensure that any model consists essentially of an ! ! grid. Let North and East be atomic programs and p an atomic proposition. Take ' to be the scheme
[ East) ](
[(North
(8.3.1)
The rst line of (8.3.1) says that from any reachable point, one can always continue the grid in either direction. The second line says that any two states reachable from any state under North are indistinguishable by any PDL formula (note that any formula can be substituted for p), and similary for East. The third line is a commutativity condition; it says that any state reachable by going North and then East is indistinguishable from any state reachable by going East and then North. It follows by induction that if and are any seqs over atomic programs North, East such that and contain the same number of occurrences of each atomic
MIT Press Math7X9/2000/06/30:10:36 Page 223
Complexity of PDL
223
program|that is, if and are permutations of each other|then any model of all substitution instances of (8.3.1) must also satisfy all substitution instances of the formula [(North
[ East) ](<>p ! < >p)
(Exercise 8.3). Now we will construct the formula , which will be used in two ways: (i) to describe the legal tilings of the grid with some given set T of tile types, and (ii) to say that red occurs only nitely often. For (i), we mimic the construction of Theorem 3.60. We use atomic propositions Northc; Southc ; Eastc ; Westc for each color c. For example, the proposition Northblue says that the north edge of the tile is colored blue, and similarly for the other colors and directions. As in Theorem 3.60, for each tile type A 2 T , one can construct a formula TileA from these propositions that is true at a state i the truth values of Northc; Southc ; Eastc ; Westc at that state describe a tile of type A. For example, the formula corresponding to the example given in Theorem 3.60 would be TileA
def ()
Northblue ^
^ c2C
:Northc
c6=blue
^ Southblack ^
^
c2C
:Southc
^c6=black ^ Eastred ^ :Eastc c2C c6=red
^ Westgreen ^
^
c2C
c6=green
:Westc :
MIT Press Math7X9/2000/06/30:10:36 Page 224
224
Chapter 8
Let T be the conjunction _ [(North [ East) ] TileA A2T
^ [East ]Southblue ^ [North]Westblue ^ ^ [(North [ East) ] (Eastc ! <East>Westc ) c2C ^ ^ [(North [ East) ] (Northc !
These correspond to the sentences (3.4.3){(3.4.7) of Theorem 3.60. As in that theorem, any model of T must be a legal tiling. Finally, we give a formula that says that red occurs only nitely often in the tiling: red red
def () def ()
Northred _ Southred _ Eastred _ Westred
Then all valid tilings use only nitely many tiles with a red edge i
S'
T
!
red :
The proof of Theorem 8.8 can be re ned so as to yield similar results for more restricted versions of PDL discussed in Chapter 10. Speci cally, the result holds for SDPDL of Section 10.1 and PDL(0) of Section 10.2. Of course, since the result is negative in nature, it holds for any extensions of these logics.
8.4 Bibliographical Notes The exponential-time lower bound for PDL was established by Fischer and Ladner (1977, 1979) by showing how PDL formulas can encode computations of linearspace-bounded alternating Turing machines. Deterministic exponential-time algorithms were rst given in Pratt (1978, 1979b, 1980b). The algorithm given here is essentially from Pratt (1979b). The algorithm has been implemented by Pratt and reportedly works well on small formulas.
MIT Press Math7X9/2000/06/30:10:36 Page 225
Complexity of PDL
225
Theorem 8.8 showing that the problem of deciding whether ; j= , where ; is a xed r.e. set of PDL formulas, is 11 -complete is due to Meyer et al. (1981).
Exercises 8.1. Supply the missing arguments in the proof of Lemma 8.3: part (i) for the cases ! and 0, part (ii)(a) for the cases [ and , and part (ii)(b) for the cases [ and ;. 8.2. Show how to encode the acceptance problem for linear-space alternating Turing machines in the validity problem for PDL. In other words, given such a machine M and an input x, show how to construct a PDL formula that is valid (true at all states in all Kripke frames) i M accepts x. (Hint. Use the machinery constructed in Section 8.2.) 8.3. In the proof of Theorem 8.8, argue that if and are any seqs over atomic programs North, East such that and contain the same number of occurrences of each atomic program|that is, if and are permutations of each other|then any model of all substitution instances of (8.3.1) must also satisfy all substitution instances of the formula [(North [ East) ](< >p ! < >p):
MIT Press Math7X9/2000/06/30:10:36 P age 226
MIT Press Math7X9/2000/06/30:10:36 Page 227
9 Nonregular PDL In this chapter we enrich the class of regular programs in PDL by introducing programs whose control structure requires more than a nite automaton. For example, the class of context-free programs requires a pushdown automaton (PDA), and moving up from regular to context-free programs is really going from iterative programs to ones with parameterless recursive procedures. Several questions arise when enriching the class of programs of PDL, such as whether the expressive power of the logic grows, and if so whether the resulting logics are still decidable. We rst show that any nonregular program increases PDL's expressive power and that the validity problem for PDL with context-free programs is undecidable. The bulk of the chapter is then devoted to the dicult problem of trying to characterize the borderline between decidable and undecidable extensions. On the one hand, validity for PDL with the addition of even a single extremely simple nonregular program is shown to be already 11 -complete; but on the other hand, when we add another equally simple program, the problem remains decidable. Besides these results, which pertain to very speci c extensions, we discuss some broad decidability results that cover many languages, including some that are not even context-free. Since no similarly general undecidability results are known, we also address the weaker issue of whether nonregular extensions admit the nite model property and present a negative result that covers many cases.
9.1 Context-Free Programs Consider the following self-explanatory program: while p do a ; now do b the same number of times (9.1.1) This program is meant to represent the following set of computation sequences: f(p? ; a)i ; :p? ; bi j i 0g: Viewed as a language over the alphabet fa; b; p; :pg, this set is not regular, thus cannot be programmed in PDL. However, it can be represented by the following parameterless recursive procedure:
MIT Press Math7X9/2000/06/30:10:36 Page 228
228
Chapter 9
proc V f if p then f a ; call V ; b g else return g The set of computation sequences of this program is captured by the context-free grammar
V ! :p? j p?aV b: We are thus led to the idea of allowing context-free programs inside the boxes and diamonds of PDL. From a pragmatic point of view, this amounts to extending the logic with the ability to reason about parameterless recursive procedures. The particular representation of the context-free programs is unimportant; we can use pushdown automata, context-free grammars, recursive procedures, or any other formalism that can be eectively translated into these. In the rest of the chapter, a number of speci c programs will be of interest, and we employ special abbreviations for them. For example, we de ne:
a ba def = fai bai j i 0g a b def = fai bi j i 0g b a def = fbiai j i 0g: Note that a b is really just a nondeterministic version of the program (9.1.1) in which there is simply no p to control the iteration. In fact, (9.1.1) could have been written in this notation as (p?a) :p?b .1 In programming terms, we can compare the regular program (ab) with the nonregular one ab by observing that if a is \purchase a loaf of bread" and b is \pay $1.00," then the former program captures the process of paying for each loaf when purchased, while the latter one captures the process of paying for them all at the end of the month.
9.2 Basic Results We rst show that enriching PDL with even a single arbitrary nonregular program increases expressive power. 1 It is noteworthy that the results of this chapter do not depend on nondeterminism. For example, the negative Theorem 9.6 holds for the deterministic version (9.1.1) too. Also, most of the results in the chapter involve nonregular programs over atomic programs only, but can be generalized to allow tests as well.
MIT Press Math7X9/2000/06/30:10:36 Page 229
Nonregular PDL
229
If L is any language over atomic programs and tests, then PDL + L is de ned exactly as PDL, but with the additional syntax rule stating that for any formula ', the expression
[ mK (L) def = mK ( ): 2L
Note that PDL + L does not allow L to be used as a formation rule for new programs or to be combined with other programs. It is added to the programming language as a single new stand-alone program only. If PDL1 and PDL2 are two extensions of PDL, we say that PDL1 is as expressive as PDL2 if for each formula ' of PDL2 there is a formula of PDL1 such that ' $ . If PDL1 is as expressive as PDL2 but PDL2 is not as expressive as PDL1 , we say that PDL1 is strictly more expressive than PDL2 . Definition 9.2:
Thus, one version of PDL is strictly more expressive than another if anything the latter can express the former can too, but there is something the former can express that the latter cannot. A language is test-free if it is a subset of 0 ; that is, if its seqs contain no tests. If L is any nonregular test-free language, then PDL + L is strictly more expressive than PDL. Theorem 9.3:
Proof The result can be proved by embedding PDL into SkS, the monadic secondorder theory of k successors (Rabin (1969)). It is possible to show that any set of nodes de nable in SkS is regular, so that the addition of a nonregular predicate increases its expressive power. A more direct proof can be obtained as follows. Fix a subset fa0 ; : : : ; ak;1 g 0 . De ne the Kripke frame K = (K; mK ) in which
K def = fa0; : : : ; ak;1 g mK (ai ) def = f(ai x; x) j x 2 fa0 ; : : : ; ak;1 gg mK (p) def = f"g: The frame K can be viewed as a complete k-ary tree in which p holds at the root only and each node has k ospring, one for each atomic program ai , but with all
MIT Press Math7X9/2000/06/30:10:36 Page 230
230
Chapter 9
edges pointing upward. Thus, the only seq from the node x 2 fa0; : : : ; ak;1 g that leads to a state satisfying p is x itself. Now for any formula ' of PDL, the set mK (') is the set of words over fa0 ; : : : ; ak;1 g describing paths in K leading from states that satisfy ' to the root. It is easy to show by induction on the structure of ' that mK (') is a regular set over the alphabet fa0 ; : : : ; ak;1 g (Exercise 9.1). Since mK (
[
2CS (G)
mK ( );
where CS (G) is the set of computation sequences generated by G as described in Section 4.3. Theorem 9.4:
The validity problem for context-free PDL is undecidable.
Proof Consider the formula
Theorem 9.4 leaves several interesting questions unanswered. What is the level of undecidability of context-free PDL? What happens if we want to add only a small number of speci c nonregular programs? The rst of these questions arises from the fact that the equivalence problem for context-free languages is co-r.e., or in the notation of the arithmetic hierarchy (Section 2.2), it is complete for 01 . Hence, all Theorem 9.4 shows is that the validity problem for context-free PDL is 01 -hard, while it might in fact be worse. The second question is far more general. We might be interested in reasoning only about deterministic or linear context-free
MIT Press Math7X9/2000/06/30:10:36 Page 231
Nonregular PDL
231
programs,2 or we might be interested only in a few special context-free programs such as aba or ab . Perhaps PDL remains decidable when these programs are added. The general question is to determine the borderline between the decidable and the undecidable when it comes to enriching the class of programs allowed in PDL. Interestingly, if we wish to consider such simple nonregular extensions as PDL + a ba or PDL + a b, we will not be able to prove undecidability by the technique used for context-free PDL in Theorem 9.4, since standard problems that are undecidable for context-free languages, such as equivalence and inclusion, are decidable for classes containing the regular languages and the likes of a ba and ab . Moreover, we cannot prove decidability by the technique used for PDL in Section 6.2, since logics like PDL + a ba and PDL + a b do not enjoy the nite model property, as we now show. Thus, if we want to determine the decidability status of such extensions, we will have to work harder. There is a satis able formula in PDL + ab that is not satis ed in any nite structure. Theorem 9.5:
Proof Let ' be the formula
p ^
[a ]
^ [(a [ b)ba]0 ^ [aa][a b]:p ^ [a b][b]0:
Let K0 be the in nite structure illustrated in Fig. 9.1 in which the only states satisfying p are the dark ones. It is easy to see that K0 ; u '. Now let K be a nite structure with a state u such that K; u '. Viewing K as a nite graph, we associate paths with the sequences of atomic programs along them. Consider the set U of paths in K leading from u to states satisfying p. The fact that K is nite implies that U is a regular set of words. However, the third conjunct of ' eliminates from U paths that contain b followed by a, forcing U to be contained in ab ; the fourth and fth conjuncts force U to be a subset of fai bi j i 0g; and the rst two conjuncts force U to contain a word in ai b for each i 0. Consequently, U must be exactly fai bi j i 0g, contradicting regularity. 2 A linear program is one whose seqs are generated by a context-free grammar in which there is at most one nonterminal symbol on the right-hand side of each rule. This corresponds to a family of recursive procedures in which there is at most one recursive call in each procedure.
MIT Press Math7X9/2000/06/30:10:36 Page 232
232
Chapter 9
b
b
b
b
b
b
b
b
b
b
u a
a
a
a
a
Figure 9.1
9.3 Undecidable Extensions Two-Letter Programs The proof of Theorem 9.5 can be modi ed easily to work for PDL + a ba (Exercise 9.3). However, for this extension the news is worse than mere undecidability: Theorem 9.6:
The validity problem for PDL + aba is 11 -complete.
Proof To show that the problem is in 11 , we use the Lowenheim{Skolem Theorem (Section 3.4) to write the notion of validity in the general form \For every countable structure : : : ," then observe that the question of whether a given formula is satis ed in a given countable structure is arithmetical. To show that the problem is 11 -hard, we reduce the tiling problem of Proposition 2.22 to it. Recall that in this tiling problem, we are given a set T of tile types, and we wish to know whether the ! ! grid can be tiled so that the color red appears in nitely often. We proceed as in the proof of the lower bound of Theorem 8.8. We use the same atomic propositions Northc ; Southc ; Eastc ; Westc for each color c. For example, Northc says that the north edge of the current tile is colored c. As in Theorem 8.8, for each tile type A 2 T , we construct a formula TileA from these propositions
MIT Press Math7X9/2000/06/30:10:36 Page 233
Nonregular PDL
233
a b
Figure 9.2
that is true at a state if the truth values of Northc ; Southc ; Eastc ; Westc at that state describe a tile of type A. The construction of the grid must be dierent here, since the extension of PDL with the new program aba does not oer a direct way of setting up two atomic programs, such as North and East, to correspond to the two directions on a grid, as was done in Theorems 3.60 and 8.8. The imaginary grid that we want to tile must be set up in a subtler manner. Denoting a ba by and a ab by , let 'snake be the formula
MIT Press Math7X9/2000/06/30:10:36 Page 234
234
Chapter 9
We now have to state that the grid implicit in the path is tiled legally with tiles from T and that red occurs in nitely often. For this we use the formula red from Theorem 8.8: red
def ()
Northred _ Southred _ Eastred _ Westred :
We then construct the general formula 'T as the conjunction of 'snake and the following formulas: [(a
[ b) a]
_
A2T
TileA
(9.3.1)
aa] ^ ((Eastc ! [a]Westc ) ^ (Northc ! [aa]Southc )) (9.3.2) c2C ^ [( ) a a] ((Eastc ! [aa]Westc ) ^ (Northc ! [a]Southc )) (9.3.3) c2C [ ]< a a>red: (9.3.4) [( )
Clause (9.3.1) associates tiles from T with those points of that follow a's, which are exactly the points of ! !. Clauses (9.3.2) and (9.3.3) force the matching of colors by using aba to reach the correct neighbor, coming from above or below depending on the parity of 's. Finally, clause (9.3.4) can be shown to force the recurrence of red. This is not straightforward. In the case of the consequence problem of Theorem 8.8, the ability to substitute arbitrary formulas for the atomic proposition p made it easy to enforce the uniformity of properties in the grid. In contrast, here the < > portion of the formula could be satis ed along dierent paths that branch o the main path . Nevertheless, a Konig-like argument can be used to show that indeed there is an in nite recurrence of red in the tiling along the chosen path (Exercise 9.4). It follows that 'T is satis able if and only if T can tile ! ! with red recurring in nitely often. The 11 result holds also for PDL extended with the two programs ab and (Exercise 9.5). It is easy to show that the validity problem for context-free PDL in its entirety remains in 11 . Together with the fact that aba is a context-free language, this yields an answer to the rst question mentioned earlier: context-free PDL is 11 -complete. As to the second question, Theorem 9.6 shows that the high undecidability phenomenon starts occurring even with the addition of one very simple nonregular program.
b a
MIT Press Math7X9/2000/06/30:10:36 Page 235
Nonregular PDL
235
One-Letter Programs We now turn to nonregular programs over a single letter. Consider the language of powers of 2: i a2 def = fa2 j i 0g:
Here we have: Theorem 9.7:
The validity problem for PDL + a2 is undecidable.
Proof sketch. This proof is also carried out by a reduction from a tiling problem, but this time on a subset of the ! ! grid. It makes essential use of simple properties of powers of 2. The idea is to arrange the elements of the set S = f2i +2j j i; j 0g in a grid as shown in Fig. 9.3. Elements of this set are reached by executing the new program a2 twice from the start state. The key observation in the proof has to do with the points that are reached when a2 is executed once more from a point u already in S . If u is not a power of two (that is, if u = 2i + 2j for i 6= j ), then the only points in S that can be reached by adding a third power of 2 to u are u's upper and right-hand neighbors in Fig. 9.3. If u is a power of 2 (that is, if u = 2i + 2i ), then the points in S reached in this manner form an in nite set consisting of one row ( nite) and one column (in nite) in the gure. A particularly delicate part of the proof involves setting things up so that the upper neighbor can be distinguished from the right-hand one. This is done by forcing a periodic marking of the grid with three diagonal stripes encoded by three new atomic programs. In this way, the two neighbors will always be associated with dierent detectable stripes. Exercise 9.6 asks for the details.
It is actually possible to prove this result for powers of any xed k 2. Thus PDL with the addition of any language of the form faki j i 0g for xed k 2 is undecidable. Another class of one-letter extensions that has been proven to be undecidable consists of Fibonacci-like sequences: Let f0 ; f1 be arbitrary elements of N with f0 < f1 , and let F be the sequence f0 ; f1 ; f2; : : : generated by the recurrence fi = fi;1 + fi;2 for i 2. Let aF def = fafi j i 0g. Then the validity problem for PDL + aF is undecidable. Theorem 9.8:
MIT Press Math7X9/2000/06/30:10:36 Page 236
236
Chapter 9
.
.
.
.
.
5
33
34
36
40
48
4
17
18
20
24
32
3
9
10
12
16
2
5
6
8
1
3
0
2 0
64
4
1
2
3
4
5
Figure 9.3
The proof of this result follows the general lines of the proof of Theorem 9.7, but is more complicated. It is based on a careful analysis of the properties of sums of elements of F . In both these theorems, the fact that the sequences of a's in the programs grow exponentially is crucial to the proofs. Indeed, we know of no undecidability results for any one-letter extension in which the lengths of the sequences of a's grow
MIT Press Math7X9/2000/06/30:10:36 Page 237
Nonregular PDL
237
subexponentially. Particularly intriguing are the cases of squares and cubes: 2 a2 def = fai j i 0g; 3 a3 def = fai j i 0g: Are PDL + a2 and PDL + a3 undecidable?
In Section 9.5 we shall describe a decidability result for a slightly restricted version of the squares extension, which seems to indicate that the full unrestricted version PDL + a2 is decidable too. However, we conjecture that for cubes the problem is undecidable. Interestingly, several classical open problems in number theory reduce to instances of the validity problem for PDL + a3 . For example, while no one knows whether every integer greater than 10000 is the sum of ve cubes, the following formula is valid if and only if the answer is yes: 3 [(a )5 ]p ! [a10001 a ]p: (The 5-fold and 10001-fold iterations have to be written out in full, of course.) If 3 PDL + a were decidable, then we could compute the answer in a simple manner, at least in principle.
9.4 Decidable Extensions We now turn to positive results. In Theorem 9.5 we showed that PDL + a b does not have the nite model property. Nevertheless, we have the following: Theorem 9.9:
The validity problem for PDL + a b is decidable.
When contrasted with Theorem 9.6, the decidability of PDL + a b is very surprising. We have two of the simplest nonregular languages|aba and ab | which are extremely similar, yet the addition of one to PDL yields high undecidability while the other leaves the logic decidable. Theorem 9.9 was proved originally by showing that, although PDL + ab does not always admit nite models, it does admit nite pushdown models, in which transitions are labeled not only with atomic programs but also with push and pop instructions for a particular kind of stack. A close study of the proof (which relies heavily on the idiosyncrasies of the language ab ) suggests that the decidability or undecidability has to do with the manner in which an automaton accepts the languages involved. For example, in the usual way of accepting a ba, a pushdown automaton (PDA) reading an a will carry out a push or a pop, depending upon its
MIT Press Math7X9/2000/06/30:10:36 Page 238
238
Chapter 9
location in the input word. However, in the standard way of accepting ab , the a's are always pushed and the b's are always popped, regardless of the location; the input symbol alone determines what the automaton does. More recent work, which we now set out to describe, has yielded a general decidability result that con rms this intuition. It is of special interest due to its generality, since it does not depend on speci c programs. Definition 9.10: Let M = (Q; ; ;; q0 ; z0 ; ) be a PDA that accepts by empty
stack. We say that M is simple-minded if, whenever (q; ; ) = (p; b), then for each q0 and 0 , either (q0 ; ; 0 ) = (p; b) or (q0 ; ; 0 ) is unde ned. A contextfree language is said to be simple-minded (a simple-minded CFL) if there exists a simple-minded PDA that accepts it. In other words, the action of a simple-minded automaton is determined uniquely by the input symbol; the state and stack symbol are only used to help determine whether the machine halts (rejecting the input) or continues. Note that such an automaton is necessarily deterministic. It is noteworthy that simple-minded PDAs accept a large fragment of the context-free languages, including a b and b a, as well as all balanced parenthesis languages (Dyck sets) and many of their intersections with regular languages. Example 9.11: Let M = (fq0 ; qg; ; ;; q0 ; z0 ; ) be a PDA, where = fa; bg,
; = fz; z0g, and the transition function is given by:
(q0 ; a; z0 ) (q0 ; a; z ) (q0 ; b; z ) (q; b; z )
= = = =
(q0 ; pop; push(z )) (q0 ; push(z )) (q; pop) (q; pop):
The function is unde ned for all other possibilities. Since M accepts by empty stack, the language accepted is precisely fai bi j i 1g. The automaton M is simpleminded, since it always performs push(z ) when the input is a and pop when the input is b. Example 9.12: Let M = (fqg; [ 0 ; ;; q; z0 ; ) be a PDA, where = f[; ]g, 0 is some nite alphabet of interest disjoint from , ; = f[; z0 g, and the transition
MIT Press Math7X9/2000/06/30:10:36 Page 239
Nonregular PDL
239
function is given by: (q; [; z0 ) = (q; pop; push( [ )) (q; a; [ ) = (q; sp) for a 2 0 (q; ]; [ ) = (q; pop): Here sp stands for \stay put," and can be considered an abbreviation for push("). The function is unde ned for all other possibilities. Since the automaton only accepts by empty stack, the language accepted by M is precisely the set of expressions over [ 0 beginning with [ and ending with ] in which the parentheses are balances. The automaton M is simple-minded, since it always performs push( [ ) when the input is [, pop when the input is ], and sp when the input is a letter from 0 . The main purpose of this entire section is to prove the following: Theorem 9.13:
decidable.
If L is accepted by a simple-minded PDA, then PDL + L is
First, however, we must discuss a certain class of models of PDL.
Tree Models
We rst prove that PDL + L has the tree model property . Let be a formula of PDL + L containing n distinct atomic programs, including those used in L. A tree structure for in PDL + L is a Kripke frame K = (K; mK ) such that K is a nonempty pre x-closed subset of [k] , where [k] = f0; : : : ; k ; 1g for some k 0 a multiple of n; for all atomic programs a, mK (a) f(x; xi) j x 2 [k]; i 2 [k]g; if a; b are atomic programs and a 6= b, then mK (a) \ mK (b) = ?. A tree structure K = (K; mK ) is a tree model for if K; " , where " is the null string, the root of the tree. We now show that for any L, if a PDL + L formula is satis able, then it has a tree model. To do this we rst unwind any model of into a tree as in Theorem 3.74, then use a construction similar to Exercise 3.42 to create a substructure in which every state has a nite number of successors. In order to proceed, we want to be able to refer to the Fischer{Ladner closure FL( ) of a formula in PDL + L. The de nition of Section 6.1 can be adopted as is, except that we take FL2([L]) = ?
MIT Press Math7X9/2000/06/30:10:36 Page 240
240
Chapter 9
(we will not need it). Note however that if [L] 2 FL( ), then 2 FL( ) as well. Now for the tree result: Proposition 9.14: A formula
in PDL + L is satis able i it has a tree model.
Proof Suppose that K; u for some Kripke frame K = (K; mK ) and u 2 K . Let Ci for 0 i < 2jFL( )j be an enumeration of the subsets of FL( ), let k = n2jFL( )j , and let
Th (t) def = f 2 FL( ) j K; t g:
To show that has a tree model, we rst de ne a partial mapping : [k] ! 2K by induction on the length of words in [k] :
(") def = fug def (x(i + nj )) = ft 2 K j 9s 2 (x) (s; t) 2 mK (ai ) and Cj = Th (t)g for all 0 i < n and 0 j < 2jFL( )j . Note that if (x) is the empty set, then so is (xi). We now de ne a Kripke frame K0 = (K 0 ; mK ) as follows: 0
K 0 def = fx j (x) 6= ?g; def mK (ai ) = f(x; x(i + nj )) j 0 j < 2jFL( )j ; x(i + nj ) 2 K 0 g; mK (p) def = fx j 9t 2 (x) t 2 mK (p)g: Note that mK is well de ned by the de nitions of and mK . It is not dicult to show that K0 is a tree structure and that if x 2 K 0 and 2 FL( ), then K0 ; x i K; t for some t 2 (x). In particular, K0 ; " . 0
0
0
The converse is immediate.
Let CL( ) be the set of all formulas in FL( ) and their negations. Applying the De Morgan laws and the PDL identities
:[]' $ <>:' :<>' $ []:' ::' $ ' from left to right, we can assume without loss of generality that negations in formulas of CL( ) are applied to atomic formulas only.
MIT Press Math7X9/2000/06/30:10:36 Page 241
Nonregular PDL
241
Let CL? ( ) def = CL( ) [ f?g:
We would now like to embed the tree model K0 = (K 0 ; mK ) constructed above into a certain labeled complete k-ary tree. Every node in K 0 will be labeled by the formulas in CL( ) that it satis es, and all the nodes not in K 0 are labeled by the special symbol ?. These trees satisfy some special properties, as we shall now see. 0
A unique diamond path Hintikka tree (or UDH tree for short) for a PDL + L formula with atomic programs a0 ; : : : ; an;1 consists of a k-ary tree [k] for some k a multiple of n and two labeling functions Definition 9.15:
T : [k] ! 2CL ( ) : [k] ! CL? ( ) such that 2 T ("); for all x 2 [k] , (x) is either a single diamond formula or the ?
special symbol ?; and
1. either T (x) = f?g or ?62 T (x), and in the latter case, 2 T (x) i : 62 T (x) for all 2 FL( ); 2. if ! 2 T (x) and 2 T (x), then 2 T (x), and ^ 2 T (x) i both 2 T (x) and 2 T (x); 3. if < > 2 T (x), and (a)if is an atomic program ai , then there exists j such that i + nj < k and 2 T (x(i + nj )); (b)if = ; , then <>< > 2 T (x); (c)if = [ , then either <> 2 T (x) or < > 2 T (x); (d)if = '?, then both ' 2 T (x) and 2 T (x); (e)if = , then there exists a word w = w1 wm 2 CS ( ) and u0 ; : : : ; um 2 [k] such that u0 = x, 2 T (um), and for all 1 i m, (ui ) = < > ; moreover, if wi is '?, then ' 2 T (ui;1 ) and ui = ui;1 , and if wi is aj 2 0 , then ui = ui;1 r, where r = j + n` < k for some `; (f)if = L, then there exists a word w = w1 wm 2 L and u0 ; : : : ; um 2 [k] such that u0 = x, 2 T (um), and for all 1 i m, (ui ) =
MIT Press Math7X9/2000/06/30:10:36 Page 242
242
Chapter 9
(a)if is an atomic program aj , then for all r = j + n` < k, if T (xr) 6= f?g then 2 T (xr); (b)if = ; , then [][ ] 2 T (x); (c)if = [ , then both [] 2 T (x) and [ ] 2 T (x); (d)if = '? and if ' 2 T (x), then 2 T (x); (e)if = , then 2 T (x) and [][ ] 2 T (x); (f)if = L, then for all words w = w1 wm 2 L and u0 ; : : : ; um 2 [k] such that u0 = x and for all 1 i m, if wi = aj 2 0 , then ui = ui;1 r, where r = j + n` < k for some `, we have that either T (um) = f?g or 2 T (um). Proposition 9.16:
model.
A formula
in PDL + L has a UDH if and only if it has a
Proof Exercise 9.9.
Pushdown Automata on In nite Trees We now discuss pushdown automata on in nite trees. We show later that such an automaton accepts precisely the UDH's of some formula. A pushdown k-ary !-tree automaton (PTA) is a machine
M = (Q; ; ;; q0 ; z0 ; ; F ); where Q is a nite set of states, is a nite input alphabet, ; is a nite stack alphabet, q0 2 Q is the initial state, z0 2 ; is the initial stack symbol, and F Q is the set of accepting states. The transition function is of type
: Q ; ! (2(QB)k [ 2QB ); where B = fpopg [ fpush(w) j w 2 ; g. The transition function re ects the fact that M works on trees with outdegree k that are labeled by . The number of rules in is denoted by jj.
A good informal way of viewing PTA's is as a pushdown machine that operates on an in nite tree of outdegree k. At each node u of the tree, the machine can read the input symbol T (u) there. It can either stay at that node, performing some action on the stack and entering a new state as determined by an element of Q B ; or it can split into k copies, each copy moving down to one of the k children of u, as determined by an element of (Q B )k .
MIT Press Math7X9/2000/06/30:10:36 Page 243
Nonregular PDL
243
The set of stack con gurations is S = f z0 j 2 ; g. The top of the stack is to the left. The initial stack con guration is z0 . A con guration is a pair (q; ) 2 Q S . The initial con guration is (q0 ; z0). Let head : S ! ; be a function given by head(z ) = z . This describes the letter on top of the stack. If the stack is empty, then head is unde ned. In order to capture the eect of on stack con gurations, we de ne the partial function apply : B S ! S that provides the new contents of the stack:
apply(pop; z ) def = ; def apply(push(w); ) = w : The latter includes the case w = ", in which case the stack is unchanged; we abbreviate push(") by sp. The automaton M runs on complete labeled k-ary trees over . That is, the input consists of the complete k-ary tree [k] with labeling function T : [k] ! : We denote the labeled tree by T . A computation of M on input T is a labeling C : [k] ! (Q S )+ of the nodes of T with sequences of con gurations satisfying the following conditions. If u 2 [k] , T (u) = a 2 , and C (u) = ((p0 ; 0 ); : : : ; (pm ; m )), then (pi+1 ; bi+1 ) 2 (pi ; a; head( i )) and apply(bi+1 ; i ) = i+1 for 0 i < m; and there exists ((r0 ; b0 ); : : : ; (rk;1 ; bk;1 )) 2 (pm ; a; head( m )) such that for all 0 j < k, the rst element of C (uj ) is (rj ; apply(bj ; m )). Intuitively, a computation is an inductive labeling of the nodes of the tree [k] with con gurations of the machine. The label of a node is the sequence of con gurations that the machine goes through while visiting that node. A computation C is said to be Buchi accepting , or just accepting for short, if the rst con guration of C (") is the start con guration (q0 ; z0 ) and every path in the tree contains in nitely many nodes u such that q 2 F for some (q; ) 2 C (u). A tree T is accepted by M if there exists an accepting computation of M on T . The emptiness problem is the problem of determining whether a given automaton M accepts some tree. A PTA that uses only the symbol sp from B (that is, never pushes nor pops) is simply a Buchi k-ary !-tree automaton as de ned in Vardi and Wolper (1986a). Our de nition is a simpli ed version of the more general de nition of stack tree
MIT Press Math7X9/2000/06/30:10:36 Page 244
244
Chapter 9
automata from Harel and Raz (1994) and is similar to that appearing in Saudi (1989). If k = 1, the in nite trees become in nite sequences. Our main result is the following. Theorem 9.17: The emptiness problem for PTA's is decidable.
The proof in Harel and Raz (1994) establishes decidability in 4-fold exponential time for STA's and in triple-exponential time for PTA's. A single-exponential-time algorithm for PTA's is given by Peng and Iyer (1995).
Decidability for Simple-Minded Languages
Given a simple-minded CFL L, we now describe the construction of a PTA A for each in PDL + L. This PTA will be shown to accept precisely the UDH trees of the formula . The PTA A is a parallel composition of three machines. The rst, called A` , is a tree automaton with no stack that tests the input tree for local consistency properties. The second component of A , called A2 , is a tree PDA that deals with box formulas that contain L. The third component, called A3 , is a tree PDA that deals with the diamond formulas of CL( ). Let ML = (Q; ; ;; q0 ; z0 ; ) be a simple-minded PDA that accepts the language L, and let be a formula in PDL + L. De ne the function : ; ! ; by:
(a; z ) = w if there exist p; q 2 Q such that (p; a; z ) = (q; w). Note that for a simple-minded PDA, is a partial function. The local automaton for is
A` def = (2CL
?
( ) ; 2CL ( ) ; ?
N ; ; 2CL
?
( ) );
where: CL? ( ) = CL( ) [ f?g; the starting set N consists of all sets s such that 2 s; (s0 ; : : : ; sk;1 ) 2 (s; a) i s = a, and {either s = f?g or ?62 s, and in the latter case, 2 s i : 62 s; {if ! 2 s and 2 s, then 2 s, and ^ 2 s i both 2 s and 2 s; {if < > 2 s, then: if is an atomic program aj , then there exists r = j + n` < k for some ` such that 2 sr ; if = ; , then <>< > 2 s; if = [ , then either <> 2 s or < > 2 s;
MIT Press Math7X9/2000/06/30:10:36 Page 245
Nonregular PDL
245
if = '? then both ' 2 s and 2 s; {if [ ] 2 s, then: if is an atomic program aj , then for all r = j + n` < k, if sr 6= f?g then 2 s; if = ; , then [][ ] 2 s; if = [ , then both [] 2 s and [ ] 2 s; if = '? and ' 2 s, then 2 s; if = , then both 2 s and [][ ] 2 s. The automaton A` accepts precisely the trees that satisfy conditions 1, 2, 3(a){(d), and 4(a){(e) of De nition 9.15. Proposition 9.18:
Proof A computation of an automaton M on an in nite tree T : [k] ! is an in nite tree C : [k] ! Q0 , where Q0 is the set of states of M . Clearly, if T satis es conditions 1, 2, 3(a){(d) and 4(a){(e) of De nition 9.15, then T is also an accepting computation of A` on T . Conversely, if C is an accepting computation of A` on some tree T , then C is itself an in nite tree over 2CL ( ) that satis es the desired conditions. By the rst rule of A` , for every node a we have a = s, hence T = C , and T satis es conditions 1, 2, 3(a){(d), and 4(a){(e) of De nition 9.15. ?
The aim of the the next component of A is to check satisfaction of condition 4(f) of De nition 9.15, the condition that deals with box formulas containing the symbol L. The box automaton for is
A2 def = (Q2 ; 2CL ( ) ; ; 2CL ( ) ; q0 ; (z0 ; ?); ; Q2 ); where Q2 = Q and is given by: ((p0 ; w0 ); : : : ; (pk;1 ; wk;1 )) 2 (q; a; (z; s)) i 1. either a =? or s a, and 2. for all 0 j < n and for all i = j + n` < k we have: (a)if (q; aj ; z ) = (q0 ; "), then pi = q0 and wi = ", (b)if (q; aj ; z ) = (q0 ; z ), then pi = q0 and wi = (z; s [ s0 ), (c)if (q; aj ; z ) = (q0 ; zz 0), then pi = q0 and wi = (z; s [ s0 ); (z 0 ; ?), and (d)if (q; aj ; z ) is unde ned, then i.if (q0 ; aj ; z0 ) is unde ned, then pi = q0 and wi = (z0 ; ?); ?
?
MIT Press Math7X9/2000/06/30:10:36 Page 246
246
Chapter 9
ii.if (q0 ; aj ; z0 ) = (q0 ; z0 ), then pi = q0 and wi = (z0 ; s0 ); and iii.if (q0 ; aj ; z0 ) = (q0 ; z0 z ), then pi = q0 and wi = (z0 ; s0 ); (z 0 ; ?). Here, if (q0 ; aj ; z0 ) is de ned and [L] 2 a, then 2 s0 , otherwise s0 = ?. In clause 1 we check whether old box promises that involve the language L are kept, while in clause 2 we put new such box promises on the stack to be checked later on. Note that the stack behavior of A2 depends only on the path in the tree and not on the values of the tree nodes. Lemma 9.19:
Let x 2 [k] and T : [k] ! 2CL
?
( ) , and
let
C2 (x) def = (q; (z0 ; s0 ); : : : ; (zm ; sm)); where C2 is a computation of A2 over T . Then for each w = aj1 aj` 2 L and rm = jm + n`m < k, the following two conditions hold: C2 (xr1 r` ) = (q0 ; (z0 ; s0); : : : ; (zm;1 ; sm;1 ); (zm ; s0m)); s0m contains all formulas for which [L] 2 T (x). Proof De ne m : Q (; 2CL ( ) )+ ! Q2 ;+ by ?
(q; (z0 ; s0 ) (zm ; sm ) (zr ; sr )) def = (q; zm ; : : : ; zr ): Let (q0 ; 0 ) (q` ; ` ) be a computation of M that accepts w. Since w is in L, for all r1 = j1 + n`1 < k we have that (q0 ; aj ; z0 ) is de ned; hence by the de nition of s0 in A2 we have that
C2 (xr1 ) = (q0 ; (z0 ; s0); : : : ; (zm ; s0m ); 0 ); where 0 may be empty and s0m contains all formulas such that [L] 2 T (x). We proceed by induction on i to prove that m (C2 (xr1 ri )) = (qi ; i ) for all 1 i `. The base case has just been established, and the general case follows immediately from the de nition of A2 . For i = `, this proves the lemma. The box automaton A2 accepts precisely the trees that satisfy condition 4(f) of De nition 9.15. Proposition 9.20:
Proof We must show that A2 has an accepting computation over some tree T i for all x 2 [k] the following holds: if [L] 2 T (x), then for all rm = jm + n`m < k, we have 2 T (xr1 r` ) or T (xr1 r` ) = f?g.
MIT Press Math7X9/2000/06/30:10:36 Page 247
Nonregular PDL
247
(=)) Suppose for a contradiction that there exist x0 2 [k] , [L] 2 T (x0 ), and w = aj1 ; : : : ; aj` 2 L such that T (xr1 r` ) 6= f?g and 62 T (xr1 r` ) for some rm = jm + n`m < k. Let C be any computation of A2 . By Lemma 9.19, we know that C (xr1 r` ) = (q0 ; (z0 ; s00 ) (zm ; s0m)), and 2 s0m. This yields a contradiction to our assumption, since clause 1 in the de nition of A2 requires that s a, which implies 2 T (xr1 r`). ((=) If T satis es the above condition and at each stage of the computation we add to s0 exactly all for which [L] 2 T (x) when (q0 ; aj ; z0 ) is de ned and add ? otherwise, we obtain an in nite computation of A2 over T . This computation is accepting because F2 = Q2 . The third component of A deals with diamond formulas. Note that unlike the box case, some diamond formulas are non-local in nature, thus cannot be handled by the local automaton. The special nature of UDH's is the key for the following construction, since it ensures that each diamond formula is satis ed along a unique path. All A3 must do is guess nondeterministically which successor lies on the appropriate path and check that there is indeed a nite path through that successor satisfying the diamond formula. For technical reasons, we must de ne a nite automaton for each such that < > 2 CL( ) for some . De ne = [ f'? j '? 2 CL( )g, and let M = (Q ; ; q0 ; ; F ) be an automaton for CS (). The diamond automaton for is
A3 def = (Q3 ; 2CL
?
( );
; f0; 1g; (1; ?; ?); (z0 ; 0); ; F3 );
where
S Q3 def = f0; 1g CL? ( ) (Q [ fQ j < > 2 CL( ) for some g). The rst
component is used to indicate acceptance, the second points to the diamond formula that is being veri ed or to ? if no such formula exists, and the third is used to simulate the computation of either ML or M . F3 is the set of all triples in Q3 containing 1 in the rst component or ? in the second. De ne
8 if (aj ; z ) = " <" def ( a ; z ) = ( z; 0) aj ; z ) = z M j : (z; 0)(z 0; 1) ifif (
(aj ; z ) = zz 0
MIT Press Math7X9/2000/06/30:10:36 Page 248
248
Chapter 9
and
8 if (aj ; z ) = " <" if (aj ; z ) = z N (aj ; z ) = : (z; 1) (z; 1)(z 0; 1) if (aj ; z ) = zz 0: Then ((p0 ; w0 ); : : : ; (pk;1 ; wk;1 )) 2 ((c; g; q); a; (z; b)) i the following three condef
ditions hold: 1. (a)for each <> 2 a, either 2 a or there exists i = j + n` < k and a word v = '1 ? 'm ? such that f'1 ; : : : ; 'm g a and pi = (ci ; <>; p), p 2 (q0 ; vaj ), and wi = M (aj ; z ); (b)if
Proof Exercise 9.10. Lemma 9.22: There is a pushdown k-ary tree automaton A such that L(A ) = L(A` ) \ L(A3 ) \ L(A2 ) and the size of A is at most jA` j jA3 j jA2 j.
MIT Press Math7X9/2000/06/30:10:36 Page 249
Nonregular PDL
249
Proof De ne
A
def
Q q0 F
def
= (Q ; 2CL as follows:
;
z0
= = def = def = def = def
?
( );
; ; q0 ; z0 ; ; F )
Q` Q2 Q3 N q0 2 q0 3 Q` Q2 F3 ;2 ;3
z0 2 z0 3
and the transition function is the Cartesian product of the appropriate functions of the component automata. Since all the states of both the local automaton and the box automaton are accepting states, and since we have taken the third component of A to be F3 , the accepted language is as required. Also, the size bound is immediate. We have only to show that this de nition indeed describes a tree PDA; in other words, we have to show that the transition function is well de ned. This is due to the simple-mindedness of the language L. More formally, for each x 2 [k] and each im = jm + n`m < k, the stack operations of A3 are the same as the stack operations of A2 , since they both depend only on the letter ajm . Lemma 9.22, together with the preceding results, yields: in PDL + L, where L is a simple-minded CFL, one can construct a PTA A such that has a model i there is some tree T accepted by A . Proposition 9.23: Given a formula
Theorem 9.13 now follows.
Other Decidable Classes Using techniques very similar to those of the previous proof, we can obtain another general decidability result involving languages accepted by deterministic stack automata. A stack automaton is a one-way PDA whose head can travel up and down the stack reading its contents, but can make changes only at the top of the stack. Stack automata can accept non-context-free languages such as a bc and its generalizations a1a2 : : : an for any n, as well as many variants thereof. It would
MIT Press Math7X9/2000/06/30:10:36 Page 250
250
Chapter 9
be nice to be able to prove decidability of PDL when augmented by any language accepted by such a machine, but this is not known. What has been proven, however, is that if each word in such a language is preceded by a new symbol to mark its beginning, then the enriched PDL is decidable: Let e 62 0 , and let L be a language over 0 that is accepted by a deterministic stack automaton. If we let eL denote the language feu j u 2 Lg, then PDL + eL is decidable. Theorem 9.24:
While Theorems 9.13 and 9.24 are general and cover many languages, they do not prove decidability of PDL + abc , which may be considered the simplest noncontext-free extension of PDL. Nevertheless, the constructions used in the proofs of the two general results have been combined to yield: Theorem 9.25:
PDL + a bc is decidable.
9.5 More on One-Letter Programs A Decidable Case The results of the previous section provide sucient conditions for an extension of PDL with a nonregular language to remain decidable.3 If we consider oneletter languages, none of these results apply. Theorem 9.13 involves context-free languages, and by Parikh's theorem (see Kozen (1997a)) nonregular one-letter languages cannot be context-free; Theorem 9.24 involves adding a new letter to each word, and therefore does not apply to one-letter languages; and Theorem 9.25 talks about a speci c three-letter language. The only negative results on oneletter extensions are those of Theorems 9.7 and Theorem 9.8, in which the words grow exponentially. We have no negative results for languages with subexponential growth. However, we do have a recent positive result, which we2 now describe. The aim was to prove that the squares extension, PDL + a , is decidable. The basic idea is to take advantage of the fact that the dierence sequence of the squares language is linear and is in fact very simple: (n + 1)2 ; n2 = 2n + 1. We exploit this in a construction similar in ways to that of Section 9.4, but using stack automata instead of pushdown automata. For technical reasons, the proof as it stands at the time of writing falls short of being applicable to the full PDL + a2 . Accordingly, we 3 There are other decidable extensions that do not satisfy these conditions, so we do not have a tight characterization.
MIT Press Math7X9/2000/06/30:10:36 Page 251
Nonregular PDL
251
have had to restrict somewhat the context in which the squares language appears in formulas. Here is a2 de nition of a restricted version of PDL + a2 , which we call Restricted-PDL + a . Denote by L the squares language a2 . It is easy to see that L = a . Also, for any in nite regular language over the alphabet fag, the concatenation L is regular (Exercise 9.14). Now, given a formula ', we say that ' is clean if L does not appear in '. We say that L appears simply in ' (or in a program ) if all its appearances are either alone (that is, as the sole program within a box or diamond) or concatenated with a nite language over fag and then combined as a union with some regular language over fag, as for example Laa [ (aa) . A nice box formula is a formula of the form []', where ' is clean and L appears simply in . A regular expression is said to be unrestricted if fa; Lg. We now de ne inductively the set of formulas in our PDL extension RestrictedPDL + a2 :
p; :p 2 for all atomic propositions p; []' 2 whenever ' 2 and at least one of the following holds: {both and ' are clean, {[]' is a nice box-formula, { is clean and ' is a nice box-formula; <>' 2 whenever ' 2 and is unrestricted; ' _ 2 whenever '; 2 ; ' ^ 2 whenever '; 2 and at least one of the following holds: {either ' or is clean, {' and are nice box-formulas. We now have: Theorem 9.26:
Restricted-PDL + a2 is decidable.
Cases with no Finite Model Property As explained, we know of no undecidabile extension of PDL with a polynomially growing language, although we conjecture that the cubes extension is undecidable. Since the decidability status of such extensions seems hard to determine, we now address a weaker notion: the presence or absence of a nite model property. The
MIT Press Math7X9/2000/06/30:10:36 Page 252
252
Chapter 9
technique used in Theorem 9.5 to show that PDL + ab violates the nite model property uses the two-letter comb-like model of Fig. 9.1, thus does not work for oneletter alphabets. Nevertheless, we now prove a general result leading to many oneletter extensions that violate the nite model property. In particular, the theorem will yield the following: Proposition 9.27 (squares and cubes):
do not have the nite model property.
The logics PDL + a2 and PDL + a3
Let us now prepare for the theorem. Definition 9.28: For a program over 0 with a 2 0 , we let n( ) denote the set fi j ai 2 CS ( )g. For S N , we let aS denote the set fai j i 2 S g; hence n(aS ) = S .
Let S N. Suppose that for some program in PDL + aS with CS ( ) a , the following conditions are satis ed: Theorem 9.29:
(i) there exists n0 such that for all x n0 and i 2 n( ), x 2 S =) x + i 62 S ; (ii) for every `; m > 0, there exists x; y 2 S with x > y ` and d 2 n( ) such that (x ; y) d (mod m). Then PDL + aS does not have the nite model property.
Proof Every in nite path in a nite model must \close up" in a circular fashion. Thus, formulas satis ed along such a path must exhibit some kind of periodicity. Let S and satisfy the conditions of the theorem. We use the nonperiodic nature of the set S given in property (i) in the statement of the theorem to construct a satis able formula ' in PDL + aS that has no nite model. Let ' be the conjunction of the following three formulas:
'1 def = [a]1 '2 def = [aS ]p '3 def = [an0 ][a](p ! [ ]:p): Here n0 is the constant from (i) and an0 is written out in full. To show that ' is satis able, take the in nite model consisting of a sequence of
MIT Press Math7X9/2000/06/30:10:36 P age 253
Nonregular PDL
253
. ..
a a t0
a t1
...
a t2
t k+m-1 a a
...
t3
t k-1
a a tk
t k+1
Figure 9.4
states t0 ; t1 ; : : : connected in order by the atomic program a. Assign p true in ti i i 2 S . Then t0 ', since (i) guarantees that '3 holds in t0 . We now show that ' does not have a nite model. Suppose K; u0 ' for some nite model K. By '1 and the niteness of K, there must be a path in K of the form shown in Fig. 9.4, where m denotes the size of the cycle. For every z 2 N , let z 0 be the remainder of (z ; k) when divided by m. Note that for z k, the state tk+z can be reached from t0 by executing the program az . By property (ii) in the statement of the theorem, w ecan nd x; y 2 S and d 2 n( ) such that 0
x > y > max(n0 ; k) and (x ; y) d (mod m): That '2 holds at t0 implies that tk+y p and tk+x p. Since y > n0 , it follows from '3 that tk+(y+d) :p. How ever, (x ; y) d (mod m) implies that (y + d)0 = x0 , so that tk+x :p, which is a contradiction. 0
0
0
0
It is sometimes useful to replace condition (ii) of Theorem 9.29 with a weaker condition, call it (ii0 ), in which the consequent does not ha veto hold for every modulus m, but only for every m >= m0 for some xed m0 (Exercise 9.12). Now to some corollaries of the theorem. First, we prove the \squares" part of Proposition 9.27. Pr oof Let Ssqr = fi2 j i 2 Ng. T o satisfy Theorem 9.29(i), take n0 = 1 and = a;
MIT Press Math7X9/2000/06/30:10:36 Page 254
254
Chapter 9
thus n( ) = f1g. As for property (ii) of that theorem, given `; m > 0, let d = 1 and choose y = (qm)2 > ` and x = (qm + 1)2 . Then x; y 2 Ssqr , x > y `, and x ; y = (qm + 1)2 ; (qm)2 d (mod m). In fact, all polynomials of degree 2 or more exhibit the same property: Proposition 9.30 (polynomials): For every polynomial of the form p(n) = ci ni + ci;1 ni;1 + + c0 2 Z[n]
with i 2 and positive leading coecient ci > 0, let Sp = fp(m) j m 2 Ng \ N . Then PDL + aSp does not have the nite model property. Proof To satisfy the conditions of Theorem 9.29, choose j0 such that p(j0 ) ; c0 > 0. Take such that n( ) = fp(j0 ) ; c0 g. Find some n0 such that each x n0 will satisfy p(x + 1) ; p(x) > p(j0 ) ; c0 . This takes care of property (i) of the theorem. Now, given `; m > 0, for d = p(j0 ) ; c0 ; y = p(qm) > `, and x = p(q0 m + j0 ) > y, we have x ; y = p(q0 m + j0 ) ; p(qm) p(j0 ) ; c0 (mod m). Proposition 9.31 (sums of primes):
and de ne
Let pi be the ith prime (with p1 = 2),
n X
Ssop def = f
pi j n 1g: i=1 Then PDL + aSsop does not have the nite model property. Proof Clearly, property (i) of Theorem 9.29 holds with n0 = 3 and = a. To see that (ii) holds, we use a well known theorem of Dirichlet to the eect that there are in nitely many primes in the arithmetic progression s + jt, j 0, if and only if gcd(s; t) = 1. Given `; m > 0, nd some i0 such that pi0 ;1 > ` and pi0 1 (mod m). The existence of such a pi0 follows from Dirichlet's theorem applied to the arithmetic progression P 1 + jm, j 0. P Now let d = 1, y = ii0=1;1 pi , and x = ii0=1 pi . Then x; y 2 Ssop , x > y `, and x ; y = pi0 d (mod m).
Let Sfac def = fn! j n 2 Ng. Then PDL + aSfac does not have the nite model property. Proposition 9.32 (factorials):
Proof Exercise 9.11.
MIT Press Math7X9/2000/06/30:10:36 Page 255
Nonregular PDL
255
Since undecidable extensions of PDL cannot satisfy the nite model property, there is no need to prove that the powers of a xed k or the Fibonacci numbers violate the nite model property. The nite model property fails for any suciently fast-growing integer linear recurrence, not just the Fibonacci sequence, although we do not know whether these extensions also render PDL undecidable. A kth-order integer linear recurrence is an inductively de ned sequence
`n def = c1 `n;1 + + ck `n;k + c0 ; n k; where k 1, c0 ; : : : ; ck 2 N , ck 6= 0, and `0 ; : : : ; `k;1 2 N are given.
(9.5.1)
Let Slr = f`n j n 0g be the set de ned inductively by (9.5.1). The following conditions are equivalent: Proposition 9.33 (linear recurrences):
(i) aSlr is nonregular; (ii) PDL + aSlr does not have the nite model property; P (iii) not all `0 ; : : : ; `k;1 are zero and ki=1 ci > 1. Proof Exercise 9.13.
9.6 Bibliographical Notes The main issues discussed in this chapter|the computational diculty of the validity problem for nonregular PDL and the borderline between the decidable and undecidable|were raised in Harel et al. (1983). The fact that any nonregular program adds expressive power to PDL, Theorem 9.3, rst appeared explicitly in Harel and Singerman (1996). Theorem 9.4 on the undecidability of context-free PDL was observed by Ladner (1977). Theorems 9.5 and 9.6 are from Harel et al. (1983), but the proof of Theorem 9.6 using tiling is taken from Harel (1985). The existence of a primitive recursive one-letter extension of PDL that is undecidable was shown already in Harel et al. (1983), but undecidability for the particular case of a2 , Theorem 9.7, is from Harel and Paterson (1984). Theorem 9.8 is from Harel and Singerman (1996). As to decidable extensions, Theorem 9.9 was proved in Koren and Pnueli (1983). The more general results of Section 9.4, namely Theorems 9.13, 9.24, and 9.25, are from Harel and Raz (1993), as is the notion of a simple-minded PDA. The decidability of emptiness for pushdown and stack automata on trees that is needed
MIT Press Math7X9/2000/06/30:10:36 Page 256
256
Chapter 9
for the proofs of these (Section 9.4) is from Harel and Raz (1994). A better bound on the complexity of the emptiness results can be found in Peng and Iyer (1995). Theorem 9.29 is from Harel and Singerman (1996) and Theorem 9.26 is from Ferman and Harel (2000).
Exercises 9.1. Complete the proof of Theorem 9.3. 9.2. Consider the formula
MIT Press Math7X9/2000/06/30:10:36 Page 257
Nonregular PDL
257
with x > y ` and d 2 n( ) such that (x ; y) d (mod m). 9.13. Show that the terms `n of a kth -order integer linear recurrence of the form (9.5.1) grow either linearly or exponentially, and that condition (iii) of Proposition 9.33 is necessary and sucient for exponential growth. Use this fact to prove the proposition. (Hint. Use Exercise 9.12.) 9.14. Prove that for any language L over the alphabet fag and any in nite regular language over fag, the concatenation language L is regular.
MIT Press Math7X9/2000/06/30:10:36 P age 258
MIT Press Math7X9/2000/06/30:10:36 Page 259
10 Other Variants of PDL A number of interesting variants are obtained by extending or restricting the standard version of PDL in various ways. In this section we describe some of these variants and review some of the known results concerning relative expressive power, complexity, and proof theory. These investigations are aimed at revealing the power of such programming features as recursion, testing, concurrency, and nondeterminism when reasoning on a propositional level. The extensions and restrictions we consider are varied. One can require that programs be deterministic (Section 10.1), that tests not appear or be simple (Section 10.2), or that programs be expressed by nite automata (Section 10.3). We studied nonregular programs in Chapter 9; one can also augment the language of regular programs by adding operators for converse, intersection, or complementation (Sections 10.4 and 10.5), or the ability to assert that a program cannot execute forever (Section 10.6), or a form of concurrency and communication (Section 10.7). Wherever appropriate, questions of expressiveness, complexity, and axiomatic completeness are addressed anew.
10.1 Deterministic PDL and While Programs Nondeterminism arises in PDL in two ways: atomic programs can be interpreted in a structure as (not necessarily singlevalued) binary relations on states; and the programming constructs [ and involve nondeterministic choice. Many modern programming languages have facilities for concurrency and distributed computation, certain aspects of which can be modeled by nondeterminism. Nevertheless, the majority of programs written in practice are still deterministic. In this section we investigate the eect of eliminating either one or both of these sources of nondeterminism from PDL. A program is said to be (semantically ) deterministic in a Kripke frame K if its traces are uniquely determined by their rst states. If is an atomic program a, this is equivalent to the requirement that mK (a) be a partial function; that is, if both (s; t) and (s; t0 ) 2 mK (a), then t = t0 . A deterministic Kripke frame K = (K; mK ) is one in which all atomic a are semantically deterministic. The class of deterministic while programs , denoted DWP, is the class of programs in which
MIT Press Math7X9/2000/06/30:10:36 Page 260
260
Chapter 10
the operators [, ?, and may appear only in the context of the conditional test, while loop, skip, or fail; tests in the conditional test and while loop are purely propositional; that is, there is no occurrence of the < > or [ ] operators.
The class of nondeterministic while programs, denoted WP, is the same, except unconstrained use of the nondeterministic choice construct [ is allowed. It is easily shown that if and are semantically deterministic in K, then so are if ' then else and while ' do (Exercise 5.2). By restricting either the syntax or the semantics or both, we obtain the following logics:
DPDL (deterministic PDL), which is syntactically identical to PDL, but interpreted over deterministic structures only; SPDL (strict PDL), in which only deterministic while programs are allowed; and SDPDL (strict deterministic PDL), in which both restrictions are in force.
Validity and satis ability in DPDL and SDPDL are de ned just as in PDL, but with respect to deterministic structures only. If ' is valid in PDL, then ' is also valid in DPDL, but not conversely: the formula '
! [a]'
(10.1.1)
is valid in DPDL but not in PDL. Also, SPDL and SDPDL are strictly less expressive than PDL or DPDL, since the formula <(a
[ b) >'
(10.1.2)
is not expressible in SPDL, as shown in Halpern and Reif (1983). Theorem 10.1: '
If the axiom scheme
! [a]'; a 2 0
(10.1.3)
is added to Axiom System 5.5, then the resulting system is sound and complete for DPDL. Proof sketch. The extended system is certainly sound, since (10.1.3) is a straightforward consequence of semantic determinacy. Completeness can be shown by modifying the construction of Section 7.1 with some special provisions for determinancy. For example, in the construction leading
MIT Press Math7X9/2000/06/30:10:36 Page 261
Other Variants of PDL
261
up to Lemma 7.3, we de ned a nonstandard Kripke frame N whose states were maximal consistent sets of formulas such that mN(a) def =
f(s; t) j 8' ' 2 t ! ' 2 sg = f(s; t) j 8' [a]' 2 s ! ' 2 tg:
The structure N produced in this way need not be deterministic, but it can be \unwound" into a treelike deterministic structure which satis es the given satis able formula. The proof sketched above also yields: Theorem 10.2:
Validity in DPDL is deterministic exponential-time complete.
Proof sketch. The upper bound is shown in Ben-Ari et al. (1982). For the lower bound, a formula ' is valid in PDL i '0 is valid in DPDL, where '0 is obtained from ' by replacing all atomic programs a by ab for some new atomic program b. The possibility of reaching many new states via a from some state s in PDL is modeled in DPDL by the possibility of executing b many times from the single state reached via a from s. The result follows from the linearity of this transformation.
Now we turn to SPDL, in which atomic programs can be nondeterministic but can be composed into larger programs only with deterministic constructs. Theorem 10.3:
Validity in SPDL is deterministic exponential-time complete.
Proof sketch. Since we have restricted the syntax only, the upper bound carries over directly from PDL. For the lower bound, a formula ' of PDL is valid i '0 is valid in SPDL, where '0 involves new nondeterministic atomic programs acting as \switches" for deciding when the tests that control the determinism of if-then-else and while-do statements are true. For example, the nondeterministic program can be simulated in SPDL by the program b; while p do (; b).
The nal version of interest is SDPDL, in which both the syntactic restrictions of SPDL and the semantic ones of DPDL are adopted. Note that the crucial [Next] that appears in the simulation of the alternating Turing machine in Section 8.2 can no longer be written as it is, because we do not have the use of the construct, and it apparently cannot be simulated with nondeterministic atomic programs as above either. Indeed, the exponential-time lower bound fails here, and we have:
MIT Press Math7X9/2000/06/30:10:36 Page 262
262
Theorem 10.4:
space.
Chapter 10
The validity problem for SDPDL is complete in polynomial
Proof sketch. For the upper bound, the following two nontrivial properties of formulas of SDPDL are instrumental:
(i) if ' is satis able, then it is satis able in a treelike structure with only polynomially many nodes at each level. (In Theorem 10.5 a counterexample for DPDL and PDL is given.) (ii) if ' is satis ed in a treelike structure A, then A can be collapsed into a nite structure by \bending" certain edges back to ancestors, resulting in a treelike structure with back edges of depth at most exponential in j'j that has no nested or crossing backedges. The polynomial-space procedure attempts to construct a treelike model for a given formula by carrying out a depth- rst search of potential structures, deciding nondeterministically whether or not to split nodes and whether or not to bend edges backwards. The size of the stack for such a procedure can be made to be polynomial in the size of the formula, since we have a treelike object of exponential depth but only polynomial width, hence exponential size. Savitch's theorem is then invoked to eliminate the nondeterminism while remaining in polynomial space. For the lower bound, we proceed as in the proof of the lower bound for PDL in Theorem 8.5. Given a polynomial space-bounded one-tape deterministic Turing machine M accepting a set L(M ), a formula 'x of SDPDL is constructed for each word x that simulates the computation of M on x. The formula 'x will be polynomial-time computable and satis able i x 2 K . Since we do not have the program Next , the entire formula constructed in the proof of Theorem 8.5 must be restructured, and will now take on the form <
while : do (Next; ?)>1;
where describes an accepting con guration of M and veri es that con gurations and transitions behave correctly. These parts of the formula can be constructed similarly to those used in the proof of Theorem 8.5. The question of relative power of expression is of interest here. Is DPDL < PDL? Is SDPDL < DPDL? The rst of these questions is inappropriate, since the syntax of both languages is the same but they are interpreted over dierent classes of structures. Considering the second, we have:
MIT Press Math7X9/2000/06/30:10:36 Page 263
Other Variants of PDL
Theorem 10.5:
263
SDPDL < DPDL and SPDL < PDL.
Proof The DPDL formula [(a [ b) ](1 ^ 1) (10.1.4) is satis ed in the full in nite binary tree (with a modeled, say, by left transitions and b by right ones), but in no tree structure with polynomially many nodes at each level. This contradicts property (i) of SDPDL in the proof of Theorem 10.4. The argument goes through even if (10.1.4) is thought of as a PDL formula and is compared with SPDL. In summary, we have the following diagram describing the relations of expressiveness between these logics. The solid arrows indicate added expressive power and broken ones a dierence in semantics. The validity problem is exponential-time complete for all but SDPDL, for which it is PSPACE -complete. Straightforward variants of Axiom System 5.5 are complete for all versions. PDL
3 SPDL kQ Q
kQ
Q DPDL 3
SDPDL
10.2 Restricted Tests Tests '? in PDL are de ned for arbitrary propositions '. This is sometimes called rich test PDL. Rich tests give substantially more power than one would normally nd in a conventional programming language. For example, if ' is the formula [] , the test '? in eect allows a program to pause during the computation and ask the question: \Had we run program now, would have been true upon termination?" without actually running . For example, the formula [([]p)?; ]p is valid. In general, however, this kind of question would be undecidable. A more realistic model would allow tests with Boolean combinations of atomic formulas only. This is called poor-test PDL. To re ne this distinction somewhat, we introduce a hierarchy of subsets of determined by the depth of nesting of tests. We then establish that each level of the hierarchy is strictly more expressive than all lower levels.
MIT Press Math7X9/2000/06/30:10:36 Page 264
264
Chapter 10
Let (0) be the subset of in which programs contain no tests. This actually means that programs are regular expressions over the set 0 of atomic programs. Now let (i+1) be the subset of in which programs can contain tests '? only S for ' 2 (i) . The logic restricted toSformulas (i) is called PDL(i) . Clearly, = i (i) , and we can also write PDL = i PDL(i) . The logic PDL(0) is sometimes called testfree PDL. The language fragment PDL(1) can test test-free formulas of PDL and these themselves can contain test-free programs. Poor-test PDL, which can test only Boolean combinations of atomic formulas, ts in between PDL(0) and PDL(1) (we might call it PDL(0:5) ). Since the lower bound proof of Theorem 8.5 does not make use of tests at all, the exponential time lower bound carries over even to PDL(0) , the weakest version considered here, and of course the upper bound of Section 8.1 holds too. Also, omitting axiom (vi) from Axiom System 5.5 yields a complete axiom system for PDL(0) . The question we now ask is whether even atomic tests add to the expressive power of PDL. The answer is armative. Theorem 10.6:
PDL(0) < poor-test PDL.
Proof sketch. Axioms 5.5(iv), (v), and (vi) enable one to eliminate from formulas all tests that do not appear under a operator. Consequently, a proof of the theorem will have to make use of iterating a test. Let ' be the the poor-test PDL formula
' def =
(:p)?a>p
<(p?a)
for atomic a and p. Consider the structure Am illustrated in the following gure, where arrows indicate a-transitions.
' s s s
u0 p
-up1 -up2 -
p
s s
um;1 um -:p -p
-
p
$ s s
u2m;1 u2m -:p -:p
For 0 k < m, Am; uk ', but Am; uk+m 2 '. The rest of the proof is devoted to formalizing the following intuition. Without the ability to test p inside a loop, it is impossible to tell in general whether the current state belongs to the left- or right-hand portion of the structure, since it is always possible to proceed and nd oneself eventually in the other portion.
MIT Press Math7X9/2000/06/30:10:36 Page 265
Other Variants of PDL
265
To that end, it becomes necessary to see to it that a test-free a or (ai ) program cannot distinguish between these possibilities. The constants m and k are therefore chosen carefully, taking into account the eventual periodicity of one-letter regular sets. Speci cally, it can be shown that for any test-free formula there are m and k such that Am ; uk i Am ; uk+m , hence ' cannot be equivalent to any formula of PDL(0) . Theorem 10.6 can be generalized to Theorem 10.7:
For every i 0, PDL(i) < PDL(i+1) .
Proof sketch. The proof is very similar in nature to the previous one. In particular, let '0 be the ' of the previous proof with a0 replacing a, and let 'j+1 be ' with aj+1 replacing a and 'j replacing the atomic formula p. Clearly, 'i 2 (i+1) ; (i). The idea is to build an elaborate multi-layered version of the structure Am described above, in which states satisfying p or :p in Am now have transitions leading down to appropriate distinct points in lower levels of the structure. The lowest level is identical to Am . The intuition is that descending a level in the structure corresponds to nesting a test in the formula. The argument that depth of nesting i + 1 is required to distinguish between appropriately chosen states uk and uk+m is more involved but similar.
The proofs of these results make no essential use of nondeterminism and can be easily seen to hold for the deterministic versions of PDL from Section 10.1 (similarly re ned according to test depth). Corollary 10.8: For every i 0, we have DPDL(i) < DPDL(i+1) ; SPDL(i) < SPDL(i+1) ; SDPDL(i) < SDPDL(i+1) :
In fact, it seems that the ability to test is in a sense independent of the ability to branch nondeterministically. The proof of Theorem 10.5 uses no tests and therefore actually yields a stronger result: There is a formula of DPDL(0) (respectively, PDL(0) ) that is not expressible in SDPDL (respectively SPDL). Theorem 10.9:
MIT Press Math7X9/2000/06/30:10:36 Page 266
266
Chapter 10
We thus have the following situation: for nondeterministic structures, SPDL(0) < SPDL(1) < < SPDL; PDL(0) < PDL(1) < < PDL; and for deterministic structures, SDPDL(0) < SDPDL(1) < < SDPDL DPDL(0) < DPDL(1) < < DPDL:
10.3 Representation by Automata A PDL program represents a regular set of computation sequences. This same regular set could possibly be represented exponentially more succinctly by a nite automaton. The dierence between these two representations corresponds roughly to the dierence between while programs and owcharts. Since nite automata are exponentially more succinct in general, the upper bound of Section 8.1 could conceivably fail if nite automata were allowed as programs. Moreover, we must also rework the deductive system of Section 5.5. However, it turns out that the completeness and exponential-time decidability results of PDL are not sensitive to the representation and still go through in the presence of nite automata as programs, provided the deductive system of Section 5.5 and the techniques of Chapter 7 and Section 8.1 are suitably modi ed, as shown in Pratt (1979b, 1981b) and Harel and Sherman (1985). In recent years, the automata-theoretic approach to logics of programs has yielded signi cant insight into propositional logics more powerful than PDL, as well as substantial reductions in the complexity of their decision procedures. Especially enlightening are the connections with automata on in nite strings and in nite trees. By viewing a formula as an automaton and a treelike model as an input to that automaton, the satis ability problem for a given formula becomes the emptiness problem for a given automaton. Logical questions are thereby transformed into purely automata-theoretic questions. This connection has prompted renewed inquiry into the complexity of automata on in nite objects, with considerable success. See Courcoubetis and Yannakakis (1988); Emerson (1985); Emerson and Jutla (1988); Emerson and Sistla (1984); Manna and Pnueli (1987); Muller et al. (1988); Pecuchet (1986); Safra (1988); Sistla et al. (1987); Streett (1982); Vardi (1985a,b, 1987); Vardi and Stockmeyer (1985); Vardi and Wolper (1986c,b); Arnold (1997a,b); and Thomas (1997). Especially noteworthy in this area is the result of Safra (1988) involving the complexity
MIT Press Math7X9/2000/06/30:10:36 Page 267
Other Variants of PDL
267
of converting a nondeterministic automaton on in nite strings into an equivalent deterministic one. This result has already had a signi cant impact on the complexity of decision procedures for several logics of programs; see Courcoubetis and Yannakakis (1988); Emerson and Jutla (1988, 1989); and Safra (1988). We assume that nondeterministic nite automata are given in the form
M = (n; i; j; );
(10.3.1)
where n = f0; : : : ; n ; 1g is the set of states, i; j 2 n are the start and nal states respectively, and assigns a subset of 0 [ f'? j ' 2 g to each pair of states. Intuitively, when visiting state ` and seeing symbol a, the automaton may move to state k if a 2 (`; k). The fact that the automata (10.3.1) have only one accept state is without loss of generality. If M is an arbitrary nondeterministic nite automaton with accept states F , then the set accepted by M is the union of the sets accepted by Mk for k 2 F , where Mk is identical to M except that it has unique accept state k. A desired formula [M ]' can be written as a conjunction
^
k2F
[Mk ]'
with at most quadratic growth. We now obtain a new logic APDL (automata PDL) by de ning and inductively using the clauses for from Section 5.1 and letting = 0 [ f'? j ' 2 g [ F , where F is the set of automata of the form (10.3.1). Exponential time decidability and completeness can be proved by adapting and generalizing the techniques used in Chapter 7 and Section 8.1 for PDL. We shall not supply full details here, except to make a couple of comments that will help give the reader the avor of the adaptations needed. There is an analogue AFL(') of the Fischer{Ladner closure FL(') of a formula ' de ned in Section 6.1. The inductive clauses for ; , [ , and are replaced by:
if [n; i; j; ] 2 AFL('), then for every k 2 n and 2 (i; k), [][n; k; j; ]
2 AFL(');
in addition, if i = j , then 2 AFL(').
MIT Press Math7X9/2000/06/30:10:36 Page 268
268
Chapter 10
Axioms 5.5(iv), (v), and (vii) are replaced by:
^
[n; i; j; ]'
$
[n; i; i; ]'
$ '^
k2n 2(i;k)
[][n; k; j; ]';
^
k2n 2(i;k)
i 6= j
[][n; k; i; ]':
(10.3.2) (10.3.3)
The induction axiom 5.5(viii) becomes (
^
k2n
[n; i; k; ]('k
!
^
m2n 2(k;m)
[]'m ))
! ('i ! [n; i; j; ]'j ):
(10.3.4)
These and other similar changes can be used to prove: Theorem 10.10:
Validity in APDL is decidable in exponential time.
Theorem 10.11:
The axiom system described above is complete for APDL.
10.4 Complementation and Intersection In previous sections we exploited the fact that programs in PDL are regular expressions, hence denote sets of computations recognizable by nite automata. Consequently, those operations on programs that do not lead outside the class of regular sets, such as the shue operator k (of importance in reasoning about concurrent programs) need not be added explicitly to PDL. Thus the intersection of programs and the complement of a program are expressible in PDL by virtue of these operations being regular operations. However, this is so only when the operations are regarded as being applied to the languages denoted by the programs, so that for example the intersection of and contains all execution sequences of atomic programs and tests contained in both. In this section we are interested in a more re ned notion of such operations. Speci cally, we consider the complementation and intersection of the binary relations on states denoted by programs. Let ; and \ stand for new programs with semantics mK (;) def = (K K ) ; mK () def mK ( \ ) = mK () \ mK ( ):
MIT Press Math7X9/2000/06/30:10:36 Page 269
Other Variants of PDL
269
It is clear that \ can be de ned as ;(; [ ; ), so we might have considered adding complementation only. However, for this case we have the following immediate result. The validity problem for PDL with the complementation operator is undecidable. Theorem 10.12:
Proof The result follows from the known undecidability of the equivalence problem for the algebra of binary relations with complementation.
However, it is of interest to consider the logic IPDL, de ned as PDL with \ in for each ; 2 . The corresponding equivalence problem for binary relations is not known to be undecidable and can be shown to be no higher than 01 in the arithmetic hierarchy. This should be contrasted with Theorem 10.14 below. First, we establish the following. Theorem 10.13:
There is a satis able formula of IPDL that has no nite model.
Proof sketch. Take to be
1 ^ [aa \ 1?]0):
[a ](
Satis ability is seen to hold in an in nite a-path. The second conjunct, however, states that non-empty portions of a-paths do not bend backwards; therefore no two states on such an in nite path can be identical. The following result is the strongest available. It concerns the version IDPDL of IPDL in which structures are deterministic. The validity problem for IDPDL (hence also for DPDL with complementation of programs) is 11 -complete. Theorem 10.14:
Proof sketch. We reduce the recurring tiling problem of Proposition 2.22 to the satis ability of formulas in IDPDL. First we construct a formula that forces its models to contain a (possibly cyclic) two-dimensional grid. This is done using atomic programs North and East as follows: [(North
[ East) ](<(North; East) \ (East; North)>1:
The proof then continues along the lines of the proof of Theorem 9.6.
MIT Press Math7X9/2000/06/30:10:36 Page 270
270
Chapter 10
It is interesting to observe that the techniques used in proving Theorem 10.14 do not seem to apply to the nondeterministic cases. It is not known at present whether IPDL is decidable, although it would be very surprising if were.
10.5 Converse The converse operator ; is a program operator that allows a program to be \run backwards": mK (; ) def = f(s; t) j (t; s) 2 mK ()g: PDL with converse is called CPDL. The following identities, proved valid in Theorem 5.12, allow us to assume without loss of generality that the converse operator is applied to atomic programs only. ( ; ); $ ; ; ; ( [ ); $ ; [ ;
; $ ; :
The converse operator strictly increases the expressive power of PDL, since the formula <; >1 is not expressible without it. Theorem 10.15:
PDL < CPDL.
s s s
Proof Consider the structure described in the following gure:
s
6
u
a
t
In this structure, s 1 but u 2 1. On the other hand, it can be shown by induction on the structure of formulas that if s and u agree on all atomic formulas, then no formula of PDL can distinguish between the two. More interestingly, the presence of the converse operator implies that the operator <> is continuous inWthe senseWthat if A is any (possibly in nite) family of formulas possessing a join A, then <>A exists and is logically equivalent to W <> A (Theorem 5.14). In the absence of the converse operator, one can construct nonstandard models for which this fails (Exercise 5.12).
MIT Press Math7X9/2000/06/30:10:36 Page 271
Other Variants of PDL
271
The completeness and exponential time decidability results of Chapter 7 and Section 8.1 can be extended to CPDL provided the following two axioms are added:
' ! ' !
[]<; >'
[; ]<>':
The ltration lemma (Lemma 6.4) still holds in the presence of ; , as does the nite model property.
10.6 Well-Foundedness and Total Correctness If is a deterministic program, the formula ' ! <> asserts the total correctness of with respect to pre- and postconditions ' and , respectively. For nondeterministic programs, however, this formula does not express the right notion of total correctness. It asserts that ' implies that there exists a halting computation sequence of yielding , whereas we would really like to assert that ' implies that all computation sequences of terminate and yield . Let us denote the latter property by TC ('; ; ):
Unfortunately, this is not expressible in PDL. The problem is intimately connected with the notion of well-foundedness . A program is said to be well-founded at a state u0 if there exists no in nite sequence of states u0; u1 ; u2 ; : : : with (ui ; ui+1 ) 2 mK () for all i 0. This property is not expressible in PDL either, as we will see. Several very powerful logics have been proposed to deal with this situation. The most powerful is perhaps the propositional -calculus, which is essentially propositional modal logic augmented with a least xpoint operator . Using this operator, one can express any property that can be formulated as the least xpoint of a monotone transformation on sets of states de ned by the PDL operators. For example, the well-foundedness of a program is expressed
X:[]X
(10.6.1)
in this logic. We will discuss the propositional -calculus in more detail in Section 17.4. Two somewhat weaker ways of capturing well-foundedness without resorting to the full -calculus have been studied. One is to add to PDL an explicit predicate
MIT Press Math7X9/2000/06/30:10:36 Page 272
272
Chapter 10
wf for well-foundedness: mK (wf ) def = fs0 j :9s1 ; s2 ; : : : 8i 0 (si ; si+1 ) 2 mK ()g: Another is to add an explicit predicate halt, which asserts that all computations of its argument terminate. The predicate halt can be de ned inductively from wf as follows: def halt a () 1; a an atomic program or test; (10.6.2) def halt ; () halt ^ []halt ; (10.6.3) def halt [ () halt ^ halt ; (10.6.4) def halt () wf ^ [ ]halt : (10.6.5) These constructs have been investigated in Harel and Pratt (1978), Harel and Sherman (1982), Niwinski (1984), and Streett (1981, 1982, 1985b) under the various names loop, repeat, and . The predicates loop and repeat are just the complements of halt and wf , respectively: def loop () :halt def repeat () :wf :
Clause (10.6.5) is equivalent to the assertion
def loop () repeat _ <>loop :
It asserts that a nonhalting computation of consists of either an in nite sequence of halting computations of or a nite sequence of halting computations of followed by a nonhalting computation of . Let RPDL and LPDL denote the logics obtained by augmenting PDL with the wf and halt predicates, respectively.1 It follows from the preceding discussion that PDL LPDL RPDL the propositional -calculus: Moreover, all these inclusions are known to be strict. The logic LPDL is powerful enough to express the total correctness of nondeterministic programs. The total correctness of with respect to precondition ' and postcondition is expressed def TC ('; ; ) () ' ! halt ^ [] :
1 The L in LPDL stands for \loop" and the R in RPDL stands for \repeat." We retain these names for historical reasons.
MIT Press Math7X9/2000/06/30:10:36 Page 273
Other Variants of PDL
273
Conversely, halt can be expressed in terms of TC : halt () TC (1; ; 1): The ltration lemma fails for RPDL, LPDL, and the propositional -calculus (except under certain strong syntactic restrictions which render formulas like (10.6.1) ineable; see Pratt (1981a)). This can be seen by considering the model K = (K; mK ) with K def = f(i; j ) 2 N 2 j 0 j ig [ fug and atomic program a with mK (a) def =
f((i; j ); (i; j ; 1)) j 1 j ig [ f(u; (i; i)) j i 2 Ng: u
sX PX ;H @P HX PX PXXX s s s s; s @H s HP s Ps Xs
s
s s
s s s
s s s s
s s s s s
s s s s s s
s s s s s s s
s s s s s s s s
The state u satis es halt a and wf a, but its equivalence class in any nite ltrate does not satisfy either of these formulas. It follows that Theorem 10.16:
PDL < LPDL.
Proof By the preceding argument and Lemma 6.4, neither halt a nor wf a is equivalent to any PDL formula. Theorem 10.17:
LPDL < RPDL.
Proof sketch. For any i, let An and Bn be the structures of Figures 10.1 and 10.2, respectively. The state ti of Bn is identi ed with the state s0 in its own copy of An . For any n and i n, An; si wf ab, but Bn ; ti :wf ab. However, for each formula ' of LPDL, it is possible to nd a large enough n such that for all i n, Bn ; ti ' i An ; s0 '. This is proved by induction on the structure of '. For the
MIT Press Math7X9/2000/06/30:10:36 Page 274
274
Chapter 10
a
a
^ s0
b
a
-^ s1
b
b
-^ s2 3
a b
b
a
-^ s3 3
b
-
b
-^ sn
a
-
b b
b
b b
Figure 10.1
The structure An
b
+ a-
t0
t1
An
An
a
-
t2 An
a
-
t3 An
a
-
tn An
Figure 10.2
The structure Bn
case of halt , one uses the fact that in order to capture the in nite path of a's and b's in Bn with a :halt clause, say :halt (a b) for example, there must exist an in nite computation of that after some nite bounded length consists solely of a's. Hence, this particular :halt clause is already satis ed in An for sucient large n. The argument is similar to the proof of the pumping lemma for regular languages; see Hopcroft and Ullman (1979) or Kozen (1997a). It is possible to extend Theorem 10.17 to versions CRPDL and CLPDL in which converse is allowed in addition to wf or halt. Also, the proof of Theorem 10.15 goes through for LPDL and RPDL, so that 1 is not expressible in either. Theorem 10.16 goes through for the converse versions too. We obtain the situation illustrated in the following gure, in which the arrows indicate < and the absence of a path between two logics means that each can express properties that the other cannot.
MIT Press Math7X9/2000/06/30:10:36 Page 275
Other Variants of PDL
275
CRPDL
3
QkQ
CLPDL 3 QkQ
CPDL kQ Q
Q
Q RPDL 3
Q LPDL 3
PDL
The ltration lemma fails for all halt and wf versions as in the proof of Theorem 10.16. However, satis able formulas of the -calculus (hence of RPDL and LPDL) do have nite models. This nite model property is not shared by CLPDL or CRPDL. Theorem 10.18:
The CLPDL formula
:halt a ^ [a ]halt a;
is satis able but has no nite model. Proof Let ' be the formula in the statement of the theorem. This formula is satis ed in the in nite model
s s s s s s s s a
-
a
-
a
-
a
-
a
-
a
-
a
-
a
-
To show it is satis ed in no nite model, suppose K; s '. By (10.6.2) and (10.6.5),
halt a () wf a ^ [a]halt a () wf a ^ [a]1 () wf a; thus K; s :wf a. This says that there must be an in nite a-path starting at s. However, no two states along that path can be identical without violating the clause [a ]halt a ; of ', thus K is in nite. As it turns out, Theorem 10.18 does not prevent CRPDL from being decidable.
MIT Press Math7X9/2000/06/30:10:36 Page 276
276
Chapter 10
The validity problems for CRPDL, CLPDL, RPDL, LPDL, and the propositional -calculus are all decidable in deterministic exponential time. Theorem 10.19:
Obviously, the simpler the logic, the simpler the arguments needed to show exponential time decidability. Over the years all these logics have been gradually shown to be decidable in exponential time by various authors using various techniques. Here we point to the exponential time decidability of the propositional -calculus with forward and backward modalities, proved in Vardi (1998b), from which all these can be seen easily to follow. The proof in Vardi (1998b) is carried out by exhibiting an exponential time decision procedure for two-way alternating automata on in nite trees. As mentioned above, RPDL possesses the nite (but not necessarily the small and not the collapsed) model property. Theorem 10.20: Every satis able formula of RPDL, LPDL, and the propositional
-calculus has a nite model.
Proof sketch. The proof uses the fact that every automaton on in nite trees that accepts some tree accepts a tree obtained by unwinding a nite graph. For a satis able formula ' in these logics, it is possible to transform the nite graph obtained in this way from the automaton for ' into a nite model of '. CRPDL and CLPDL are extensions of PDL that, like PDL + a b (Theorems 9.5 and 9.9), are decidable despite lacking a nite model property. Complete axiomatizations for RPDL and LPDL can be obtained by embedding them into the -calculus (see Section 17.4).
10.7 Concurrency and Communication Another interesting extension of PDL concerns concurrent programs. Recall the intersection operator \ introduced in Section 10.4. The binary relation on states corresponding to the program \ is the intersection of the binary relations corresponding to and . This can be viewed as a kind of concurrency operator that admits transitions to those states that both and would have admitted. In this section, we consider a dierent and perhaps more natural notion of concurrency. The interpretation of a program will not be a binary relation on states, which relates initial states to possible nal states, but rather a relation between a states and sets of states. Thus mK () will relate a start state u to a collection of sets
MIT Press Math7X9/2000/06/30:10:36 Page 277
Other Variants of PDL
277
of states U . The intuition is that starting in state u, the (concurrent) program can be run with its concurrent execution threads ending in the set of nal states U . The basic concurrency operator will be denoted here by ^, although in the original work on concurrent Dynamic Logic (Peleg (1987b,c,a)) the notation \ is used. The syntax of concurrent PDL is the same as PDL, with the addition of the clause: if ; 2 , then ^ 2 . The program ^ means intuitively, \Execute and in parallel." The semantics of concurrent PDL is de ned on Kripke frames K = (K; mK ) as with PDL, except that for programs , mK ()
K 2K :
Thus the meaning of is a collection of reachability pairs of the form (u; U ), where u 2 K and U K . In this brief description of concurrent PDL, we require that structures assign to atomic programs sequential, non-parallel, meaning; that is, for each a 2 0 , we require that if (u; U ) 2 mK (a), then #U = 1. The true parallelism will stem from applying the concurrency operator to build larger sets U in the reachability pairs of compound programs. We shall not provide the details here; the reader is referred to Peleg (1987b,c). The relevant results for this logic are the following: Theorem 10.21:
PDL < concurrent PDL.
The validity problem for concurrent PDL is decidable in deterministic exponential time. Theorem 10.22:
Axiom System 5.5, augmented with the following axiom, can be be shown to be complete for concurrent PDL: <
^ >' $ <>' ^ < >':
10.8 Bibliographical Notes Completeness and exponential time decidability for DPDL, Theorem 10.1 and the upper bound of Theorem 10.2, are proved in Ben-Ari et al. (1982) and Valiev (1980).
MIT Press Math7X9/2000/06/30:10:36 Page 278
278
Chapter 10
The lower bound of Theorem 10.2 is from Parikh (1981). Theorems 10.4 and 10.5 on SDPDL are from Halpern and Reif (1981, 1983). That tests add to the power of PDL (Theorem 10.6) is proved in Berman and Paterson (1981), and Theorem 10.7 appears in Berman (1978) and Peterson (1978). It can be shown (Peterson (1978); Berman (1978); Berman and Paterson (1981)) that rich-test PDL is strictly more expressive than poor-test PDL. These results also hold for SDPDL (see Section 10.1). The results on programs as automata (Theorems 10.10 and 10.11) appear in Pratt (1981b) but the proofs sketched are from Harel and Sherman (1985). The material of Section 10.4 on the intersection of programs is from Harel et al. (1982). That the axioms in Section 10.5 yield completeness for CPDL is proved in Parikh (1978a). The complexity of PDL with converse and various forms of well-foundedness constructs is studied in Vardi (1985b). Many authors have studied logics with a least- xpoint operator, both on the propositional and rst-order levels (Scott and de Bakker (1969); Hitchcock and Park (1972); Park (1976); Pratt (1981a); Kozen (1982, 1983, 1988); Kozen and Parikh (1983); Niwinski (1984); Streett (1985b); Vardi and Stockmeyer (1985)). The version of the propositional -calculus presented here was introduced in Kozen (1982, 1983). That the propositional -calculus is strictly more expressive than PDL with wf was show in Niwinski (1984) and Streett (1985b). That this logic is strictly more expressive than PDL with halt was shown in Harel and Sherman (1982). That this logic is strictly more expressive than PDL was shown in Streett (1981). The wf construct (actually its complement, repeat) is investigated in Streett (1981, 1982), in which Theorems 10.16 (which is actually due to Pratt) and 10.18{10.20 are proved. The halt construct (actually its complement, loop) was introduced in Harel and Pratt (1978) and Theorem 10.17 is from Harel and Sherman (1982). Finite model properties for the logics LPDL, RPDL, CLPDL, CRPDL, and the propositional -calculus were established in Streett (1981, 1982) and Kozen (1988). Decidability results were obtained in Streett (1981, 1982); Kozen and Parikh (1983); Vardi and Stockmeyer (1985); and Vardi (1985b). Deterministic exponential-time completeness was established in Emerson and Jutla (1988) and Safra (1988). For the strongest variant, CRPDL, exponential-time decidability follows from Vardi (1998b). Concurrent PDL is de ned in Peleg (1987b), in which the results of Section 10.7 are proved. Additional versions of this logic, which employ various mechanisms for communication among the concurrent parts of a program, are considered in Peleg (1987c,a). These papers contain many results concerning expressive power, decidability and undecidability for concurrent PDL with communication.
MIT Press Math7X9/2000/06/30:10:36 Page 279
Other Variants of PDL
279
Other work on PDL not described here includes work on nonstandard models, studied in Berman (1979, 1982) and Parikh (1981); PDL with Boolean assignments, studied in Abrahamson (1980); and restricted forms of the consequence problem, studied in Parikh (1981).
MIT Press Math7X9/2000/06/30:10:36 P age 280
MIT Press Math7X9/2000/06/30:10:36 Page 281
III FIRST-ORDER DYNAMIC LOGIC
MIT Press Math7X9/2000/06/30:10:36 Page 282
MIT Press Math7X9/2000/06/30:10:36 Page 283
11 First-Order Dynamic Logic In this chapter we begin the study of rst-order Dynamic Logic. The main dierence between rst-order DL and the propositional version PDL discussed in Part II of the book is the presence of a rst-order structure A, called the domain of computation , over which rst-order quanti cation is allowed. States are no longer abstract points, but valuations of a set of variables over A, the carrier of A. Atomic programs in DL are no longer abstract binary relations, but assignment statements of various forms, all based on assigning values to variables during the computation. The most basic example of such an assignment is the simple assignment x := t, where x is a variable and t is a term. The atomic formulas of DL are generally taken to be atomic rst-order formulas. In addition to the constructs introduced in Part II, the basic DL syntax contains individual variables ranging over A, function and predicate symbols for distinguished functions and predicates of A, and quanti ers ranging over A, exactly as in classical rst-order logic. More powerful versions of the logic contain array and stack variables and other constructs, as well as primitive operations for manipulating them, and assignments for changing their values. Sometimes the introduction of a new construct increases expressive power and sometimes not; sometimes it has an eect on the complexity of deciding satis ability and sometimes not. Indeed, one of the central goals of Part III of the book is to classify these constructs in terms of their relative expressive power and complexity. In this chapter we lay the groundwork for this by de ning the various logical and programming constructs we shall be needing.
11.1 Basic Syntax The language of rst-order Dynamic Logic is built upon classical rst-order logic as described in Section 3.4. There is always an underlying rst-order vocabulary , which involves a vocabulary of function symbols and predicate (or relation) symbols. On top of this vocabulary, we de ne a set of programs and a set of formulas . These two sets interact by means of the modal construct [ ] exactly as in the propositional case. Programs and formulas are usually de ned by mutual induction. Let = ff; g; : : : ; p; r; : : : g be a nite rst-order vocabulary. Here f and g denote typical function symbols of , and p and r denote typical relation symbols. Associated with each function and relation symbol of is a xed arity (number of arguments), although we do not represent the arity explicitly. We assume
MIT Press Math7X9/2000/06/30:10:36 Page 284
284
Chapter 11
that always contains the equality symbol =, whose arity is 2. Functions and relations of arity 0; 1; 2; 3 and n are called nullary, unary, binary, ternary, and nary, respectively. Nullary functions are also called constants. We shall be using a countable set of individual variables V = fx0 ; x1 ; : : : g. The de nitions of DL programs and formulas below depend on the vocabulary , but in general we shall not make this dependence explicit unless we have some speci c reason for doing so.
Atomic Formulas and Programs
In all versions of DL that we will consider, atomic formulas are atomic formulas of the rst-order vocabulary ; that is, formulas of the form r(t1 ; : : : ; tn ); where r is an n-ary relation symbol of and t1 ; : : : ; tn are terms of . As in PDL, programs are de ned inductively from atomic programs using various programming constructs. The meaning of a compound program is given inductively in terms of the meanings of its constituent parts. Dierent classes of programs are obtained by choosing dierent classes of atomic programs and programming constructs. In the basic version of DL, an atomic program is a simple assignment x := t; (11.1.1) where x 2 V and t is a term of . Intuitively, this program assigns the value of t to the variable x. This is the same form of assignment found in most conventional programming languages. More powerful forms of assignment such as stack and array assignments and nondeterministic \wildcard" assignments will be discussed later. The precise choice of atomic programs will be made explicit when needed, but for now, we use the term atomic program to cover all of these possibilities.
Tests
As in PDL, DL contains a test operator ?, which turns a formula into a program. In most versions of DL that we shall discuss, we allow only quanti er-free rstorder formulas as tests. We sometimes call these versions poor test . Alternatively, we might allow any rst-order formula as a test. Most generally, we might place no restrictions on the form of tests, allowing any DL formula whatsoever, including those that contain other programs, perhaps containing other tests, etc. These
MIT Press Math7X9/2000/06/30:10:36 Page 285
First-Order Dynamic Logic
285
versions of DL are labeled rich test as in Section 10.2. Whereas programs can be de ned independently from formulas in poor test versions, rich test versions require a mutually inductive de nition of programs and formulas. As with atomic programs, the precise logic we consider at any given time depends on the choice of tests we allow. We will make this explicit when needed, but for now, we use the term test to cover all possibilities.
Regular Programs
For a given set of atomic programs and tests, the set of regular programs is de ned as in PDL (see Section 5.1): any atomic program or test is a program; if and are programs, then ; is a program; if and are programs, then [ is a program; if is a program then is a program.
While Programs
Some of the literature on DL is concerned with the class of while programs. This class was de ned formally in Section 10.1 for PDL (see also Section 5.1); the de nition is the same here. Formally, deterministic while programs form the subclass of the regular programs in which the program operators [, ?, and are constrained to appear only in the forms skip def = 1? def fail = 0? if ' then else def = ('?; ) [ (:'?; ) (11.1.2) def while ' do = ('?; ) ; :'? (11.1.3) The class of nondeterministic while programs is the same, except that we allow unrestricted use of the nondeterministic choice construct [. Of course, unrestricted use of the sequential composition operator is allowed in both languages. Restrictions on the form of atomic programs and tests apply as with regular programs. For example, if we are allowing only poor tests, then the ' occurring in the programs (11.1.2) and (11.1.3) must be a quanti er-free rst-order formula. The class of deterministic while programs is important because it captures the basic programming constructs common to many real-life imperative programming
MIT Press Math7X9/2000/06/30:10:36 Page 286
286
Chapter 11
languages. Over the standard structure of the natural numbers N , deterministic while programs are powerful enough to de ne all partial recursive functions, and thus over N they are as as expressive as regular programs. A similar result holds for a wide class of models similar to N , for a suitable de nition of \partial recursive functions" in these models. However, it is not true in general that while programs, even nondeterministic ones, are universally expressive. We discuss these results in Chapter 15.
Formulas
A formula of DL is de ned in way similar to that of PDL, with the addition of a rule for quanti cation. Equivalently, we might say that a formula of DL is de ned in a way similar to that of rst-order logic, with the addition of a rule for modality. The basic version of DL is de ned with regular programs:
the false formula 0 is a formula; any atomic formula is a formula; if ' and are formulas, then ' ! is a formula; if ' is a formula and x 2 V , then 8x ' is a formula; if ' is a formula and is a program, then []' is a formula.
The only missing rule in the de nition of the syntax of DL are the tests. In our basic version we would have:
if ' is a quati er-free rst-order formula, then '? is a test. For the rich test version, the de nitions of programs and formulas are mutually dependent, and the rule de ning tests is simply:
if ' is a formula, then '? is a test. We will use the same notation as in propositional logic that :' stands for ' ! 0. As in rst-order logic, the rst-order existential quanti er 9 is considered a de ned construct: 9x ' abbreviates :8x :'. Similarly, the modal construct < > is considered a de ned construct as in Section 5.1, since it is the modal dual of [ ]. The other propositional constructs ^, _, $ are de ned as in Section 3.2. Of course, we use parentheses where necessary to ensure unique readability. Note that the individual variables in V serve a dual purpose: they are both program variables and logical variables.
MIT Press Math7X9/2000/06/30:10:36 Page 287
First-Order Dynamic Logic
287
11.2 Richer Programs Seqs and R.E. Programs Some classes of programs are most conveniently de ned as certain sets of seqs. Recall from Section 5.3 that a seq is a program of the form 1 ; ; k , where each i is an assignment statement or a quanti er-free rst-order test. Each regular program is associated with a unique set of seqs CS () (Section 5.3). These de nitions were made in the propositional context, but they apply equally well to the rst-order case; the only dierence is in the form of atomic programs and tests. Construing the word in the broadest possible sense, we can consider a program to be an arbitrary set of seqs. Although this makes sense semantically|we can assign an input/output relation to such a set in a meaningful way|such programs can hardly be called executable. At the very least we should require that the set of seqs be recursively enumerable, so that there will be some eective procedure that can list all possible executions of a given program. However, there is a subtle issue that arises with this notion. Consider the set of seqs
fxi := f i (c) j i 2 Ng: This set satis es the above restriction, yet it can hardly be called a program. It uses in nitely many variables, and as a consequence it might change a valuation at in nitely many places. Another pathological example is the set of seqs
fxi+1 := f (xi ) j i 2 Ng; which not only could change a valuation at in nitely many locations, but also depends on in nitely many locations of the input valuation. In order to avoid such pathologies, we will require that each program use only nitely many variables. This gives rise to the following de nition of r.e. programs, which is the most general family of programs we will consider. Speci cally, an r.e. program is a Turing machine that enumerates a set of seqs over a nite set of variables. The set of seqs enumerated will be called CS (). By FV () we will denote the nite set of variables that occur in seqs of CS (). An important issue connected with r.e. programs is that of bounded memory. The assignment statements or tests in an r.e. program may have in nitely many terms with increasingly deep nesting of function symbols (although, as discussed, these terms only use nitely many variables), and these could require an unbounded amount of memory to compute. We de ne a set of seqs to be bounded memory if the depth of terms appearing in it is bounded. In fact, without sacri cing computational
MIT Press Math7X9/2000/06/30:10:36 Page 288
288
Chapter 11
power, we could require that all terms be of the form f (x1 ; : : : ; xn ) in a boundedmemory set of seqs (Exercise 15.4).
Arrays and Stacks
Interesting variants of the programming language we use in DL arise from allowing auxiliary data structures. We shall de ne versions with arrays and stacks , as well as a version with a nondeterministic assignment statement called wildcard assignment . Besides these, one can imagine augmenting while programs with many other kinds of constructs such as blocks with declarations, recursive procedures with various parameter passing mechanisms, higher-order procedures, concurrent processes, etc. It is easy to arrive at a family consisting of thousands of programming languages, giving rise to thousands of logics. Obviously, we have had to restrict ourselves. It is worth mentioning, however, that certain kinds of recursive procedures are captured by our stack operations, as explained below.
Arrays
To handle arrays, we include a countable set of array variables Varray = fF0 ; F1 ; : : : g: Each array variable has an associated arity, or number of arguments, which we do not represent explicitly. We assume that there are countably many variables of each arity n 0. In the presence of array variables, we equate the set V of individual variables with the set of nullary array variables; thus V Varray . The variables in Varray of arity n will range over n-ary functions with arguments and values in the domain of computation. In our exposition, elements of the domain of computation play two roles: they are used both as indices into an array and as values that can be stored in an array. One might equally well introduce a separate sort for array indices; although conceptually simple, this would complicate the notation and would give no new insight. We extend the set of rst-order terms to allow the unrestricted occurrence of array variables, provided arities are respected. The classes of regular programs with arrays and deterministic and nondeterministic while programs with arrays are de ned similarly to the classes without, except that we allow array assignments in addition to simple assignments. Array assignments are similar to simple assignments, but on the left-hand side we allow a term in which the outermost symbol is an array variable: F (t1 ; : : : ; tn ) := t:
MIT Press Math7X9/2000/06/30:10:36 Page 289
First-Order Dynamic Logic
289
Here F is an n-ary array variable and t1 ; : : : ; tn ; t are terms, possibly involving other array variables. Note that when n = 0, this reduces to the ordinary simple assignment.
Recursion via an Algebraic Stack
We now consider DL in which the programs can manipulate a stack. The literature in automata theory and formal languages often distinguishes a stack from a pushdown store. In the former, the automaton is allowed to inspect the contents of the stack but to make changes only at the top. We shall use the term stack to denote the more common pushdown store, where the only inspection allowed is at the top of the stack. The motivation for this extension is to be able to capture recursion. It is well known that recursive procedures can be modeled using a stack, and for various technical reasons we prefer to extend the data-manipulation capabilities of our programs than to introduce new control constructs. When it encounters a recursive call, the stack simulation of recursion will push the return location and values of local variables and parameters on the stack. It will pop them upon completion of the call. The LIFO (last-in- rst-out) nature of stack storage ts the order in which control executes recursive calls. To handle the stack in our stack version of DL, we add two new atomic programs
push(t) and pop(y); where t is a term and y 2 V . Intuitively, push(t) pushes the current value of t onto the top of the stack, and pop(y) pops the top value o the top of the stack and
assigns that value to the variable y. If the stack is empty, the pop operation does not change anything. We could have added a test for stack emptiness, but it can be shown to be redundant (Exercise 11.3). Formally, the stack is simply a nite string of elements of the domain of computation. The classes of regular programs with stack and deterministic and nondeterministic while programs with stack are obtained by augmenting the respective classes of programs with the push and pop operations as atomic programs in addition to simple assignments. In contrast to the case of arrays, here there is only a single stack. In fact, expressiveness changes dramatically when two or more stacks are allowed (Exercise 15.7). Also, in order to be able to simulate recursion, the domain must have at least two distinct elements so that return addresses can be properly encoded in the stack. One way of doing this is to store the return address itself in unary using one ele-
MIT Press Math7X9/2000/06/30:10:36 Page 290
290
Chapter 11
ment of the domain, then store one occurrence of the second element as a delimiter symbol, followed by domain elements constituting the current values of parameters and local variables. The kind of stack described here is often termed algebraic , since it contains elements from the domain of computation. It should be contrasted with the Boolean stack described next.
Parameterless Recursion via a Boolean Stack
An interesting special case is when the stack can contain only two distinct elements. This version of our programming language can be shown to capture recursive procedures without parameters or local variables. This is because we only need to store return addresses, but no actual data items from the domain of computation. This can be achieved using two values, as described above. We thus arrive at the idea of a Boolean stack. To handle such a stack in this version of DL, we add three new kinds of atomic programs and one new test. The atomic programs are
push-1
push-0
pop;
and the test is simply top?: Intuitively, push-1 and push-0 push the corresponding distinct Boolean values on the stack, pop removes the top element, and the test top? evaluates to true i the top element of the stack is 1, but with no side eect. With the test top? only, there is no explicit operator that distinguishes a stack with top element 0 from the empty stack. We might have de ned such an operator, and in a more realistic language we would certainly do so. However, it is mathematically redundant, since it can be simulated with the operators we already have (Exercise 11.1).
Wildcard Assignment The nondeterministic assignment x := ? is a device that arises in the study of fairness; see Apt and Plotkin (1986). It has often been called random assignment in the literature, although it has nothing to do with randomness or probability. We shall call it wildcard assignment . Intuitively,
MIT Press Math7X9/2000/06/30:10:36 Page 291
First-Order Dynamic Logic
291
it operates by assigning a nondeterministically chosen element of the domain of computation to the variable x. This construct together with the [ ] modality is similar to the rst-order universal quanti er, since it will follow from the semantics that the two formulas [x := ?]'
and
8x '
are equivalent. However, wildcard assignment may appear in programs and can therefore be iterated.
11.3 Semantics In this section we assign meanings to the syntactic constructs described in the previous sections. We interpret programs and formulas over a rst-order structure A. Variables range over the carrier of this structure. We take an operational view of program semantics: programs change the values of variables by sequences of simple assignments x := t or other assignments, and ow of control is determined by the truth values of tests performed at various times during the computation.
States as Valuations An instantaneous snapshot of all relevant information at any moment during the computation is determined by the values of the program variables. Thus our states will be valuations u; v; : : : of the variables V over the carrier of the structure A. Our formal de nition will associate the pair (u; v) of such valuations with the program if it is possible to start in valuation u, execute the program , and halt in valuation v. In this case, we will call (u; v) an input/output pair of and write (u; v) 2 mA (). This will result in a Kripke frame exactly as in Chapter 5. Let A = (A; mA )
be a rst-order structure for the vocabulary as de ned in Section 3.4. We call A the domain of computation . Here A is a set, called the carrier of A, and mA is a meaning function such that mA (f ) is an n-ary function mA (f ) : An ! A interpreting the n-ary function symbol f of , and mA (r) is an n-ary relation mA (r) An interpreting the n-ary relation symbol r of . The equality symbol = is always interpreted as the identity relation. For n 0, let An ! A denote the set of all n-ary functions in A. By convention, we take A0 ! A = A. Let A denote the set of all nite-length strings over A.
MIT Press Math7X9/2000/06/30:10:36 Page 292
292
Chapter 11
The structure A determines a Kripke frame, which we will also denote by A, as follows. A valuation over A is a function u assigning an n-ary function over A to each n-ary array variable. It also assigns meanings to the stacks as follows. We shall use the two unique variable names STK and BSTK to denote the algebraic stack and the Boolean stack, respectively. The valuation u assigns a nite-length string of elements of A to STK and a nite-length string of Boolean values 1 and 0 to BSTK . Formally: u(F ) 2 An ! A; if F is an n-ary array variable, u(STK ) 2 A ; u(BSTK ) 2 f1; 0g: By our convention A0 ! A = A, and assuming that V Varray , the individual variables (that is, the nullary array variables) are assigned elements of A under this de nition: u(x) 2 A if x 2 V: The valuation u extends uniquely to terms t by induction. For an n-ary function symbol f and an n-ary array variable F ,
u(f (t1 ; : : : ; tn )) def = mA (f )(u(t1 ); : : : ; u(tn )) def u(F (t1 ; : : : ; tn )) = u(F )(u(t1 ); : : : ; u(tn )): Recall the function-patching operator de ned in Section 1.3: if X and D are sets, f : X ! D is any function, x 2 X , and d 2 D, then f [x=d] : X ! D is the function de ned by d; if x = y f [x=d](y) def = f (y); otherwise. We will be using this notation in several ways, both at the logical and metalogical levels. For example: If u is a valuation, x is an individual variable, and a 2 A, then u[x=a] is the new valuation obtained from u by changing the value of x to a and leaving the values of all other variables intact. If F is an n-ary array variable and f : An ! A, then u[F=f ] is the new valuation that assigns the same value as u to the stack variables and to all array variables other than F , and u[F=f ](F ) = f:
MIT Press Math7X9/2000/06/30:10:36 Page 293
First-Order Dynamic Logic
293
If f : An ! A is an n-ary function and a1 ; : : : ; an ; a 2 A, then the expression f [a1 ; : : : ; an =a] denotes the n-ary function that agrees with f everywhere except for input a1 ; : : : ; an , on which it takes the value a. More precisely, a; if bi = ai ; 1 i n f [a1 ; : : : ; an =a](b1 ; : : : ; bn ) = f (b1 ; : : : ; bn); otherwise. We call valuations u and v nite variants of each other if
u(F )(a1 ; : : : ; an ) = v(F )(a1 ; : : : ; an ) for all but nitely many array variables F and n-tuples a1 ; : : : ; an 2 An . In other words, u and v dier on at most nitely many array variables, and for those F on which they do dier, the functions u(F ) and v(F ) dier on at most nitely many values. The relation \is a nite variant of" is an equivalence relation on valuations. Since a halting computation can run for only a nite amount of time, it can execute only nitely many assignments. It will therefore not be able to cross equivalence class boundaries; that is, in the binary relation semantics given below, if the pair (u; v) is an input/output pair of the program , then v is a nite variant of u. We are now ready to de ne the states of our Kripke frame. For a 2 A, let wa be the valuation in which the stacks are empty and all array and individual variables are interpreted as constant functions taking the value a everywhere. A state of A is any nite variant of a valuation wa . The set of states of A is denoted S A . Call a state initial if it diers from some wa only at the values of individual variables. It is meaningful, and indeed useful in some contexts, to take as states the set of all valuations. Our purpose in restricting our attention to states as de ned above is to prevent arrays from being initialized with highly complex oracles that would compromise the value of the relative expressiveness results of Chapter 15.
Assignment Statements As in Section 5.2, with every program we associate a binary relation mA ()
SA SA
(called the input/output relation of p), and with every formula ' we associate a set mA (')
SA:
MIT Press Math7X9/2000/06/30:10:36 Page 294
294
Chapter 11
The sets mA () and mA (') are de ned by mutual induction on the structure of and '. For the basis of this inductive de nition, we rst give the semantics of all the assignment statements discussed earlier.
The array assignment F (t1 ; : : : ; tn ) := t is interpreted as the binary relation mA (F (t1 ; : : : ; tn ) := t) def =
f(u; u[F=u(F )[u(t1); : : : ; u(tn )=u(t)]]) j u 2 S A g:
In other words, starting in state u, the array assignment has the eect of changing the value of F on input u(t1 ); : : : ; u(tn ) to u(t), and leaving the value of F on all other inputs and the values of all other variables intact. For n = 0, this de nition reduces to the following de nition of simple assignment: mA (x := t) def =
f(u; u[x=u(t)]) j u 2 S A g:
The push operations, push(t) for the algebraic stack and push-1 and push-0 for the Boolean stack, are interpreted as the binary relations mA (push(t)) mA (push-1) mA (push-0)
def
= f(u; u[STK =(u(t) u(STK ))]) j u 2 S A g def = f(u; u[BSTK =(1 u(BSTK ))]) j u 2 S A g def = f(u; u[BSTK =(0 u(BSTK ))]) j u 2 S A g;
respectively. In other words, push(t) changes the value of the algebraic stack variable STK from u(STK ) to the string u(t) u(STK ), the concatenation of the value u(t) with the string u(STK ), and everything else is left intact. The eects of push-1 and push-0 are similar, except that the special constants 1 and 0 are concatenated with u(BSTK ) instead of u(t). The pop operations, pop(y) for the algebraic stack and pop for the Boolean stack, are interpreted as the binary relations mA (pop(y)) mA (pop)
def
= f(u; u[STK =tail(u(STK ))][y=head(u(STK ); u(y))]) j u 2 S A g def = f(u; u[BSTK =tail(u(BSTK ))]) j u 2 S A g;
MIT Press Math7X9/2000/06/30:10:36 Page 295
First-Order Dynamic Logic
295
respectively, where
tail(a ) tail(") head(a ; b) head("; b)
def
= def = def = def =
" a b
and " is the empty string. In other words, if u(STK ) 6= ", this operation changes the value of STK from u(STK ) to the string obtained by deleting the rst element of u(STK ) and assigns that element to the variable y. If u(STK ) = ", then nothing is changed. Everything else is left intact. The Boolean stack operation pop changes the value of BSTK only, with no additional changes. We do not include explicit constructs to test whether the stacks are empty, since these can be simulated (Exercise 11.3). However, we do need to be able to refer to the value of the top element of the Boolean stack, hence we include the top? test. The Boolean test program top? is interpreted as the binary relation mA (top?) def =
f(u; u) j u 2 S A ; head(u(BSTK )) = 1g:
In other words, this test changes nothing at all, but allows control to proceed i the top of the Boolean stack contains 1. The wildcard assignment x := ? for x 2 V is interpreted as the relation mA (x := ?) def =
f(u; u[x=a]) j u 2 S A ; a 2 Ag:
As a result of executing this statement, x will be assigned some arbitrary value of the carrier set A, and the values of all other variables will remain unchanged.
Programs and Formulas The meanings of compound programs and formulas are de ned by mutual induction on the structure of and ' essentially as in the propositional case (see Section 5.2). We include these de nitions below for completeness.
MIT Press Math7X9/2000/06/30:10:36 Page 296
296
Chapter 11
Regular Programs and While Programs
Here are the semantic de nitions for the four constructs of regular programs. mA ( ; ) def = mA () mA ( )
= f(u; v) j 9w (u; w) 2 mA () and (w; v) 2 mA ( )g mA ( [ ) = mA () [ mA ( ) [ mA ( ) def = mA () = mA ()n def
mA ('?) def =
(11.3.1) (11.3.2)
n0
f(u; u) j u 2 mA (')g:
(11.3.3)
The semantics of de ned constructs such as if-then-else and while-do are obtained using their de nitions exactly as in PDL.
Seqs and R.E. Programs
Recall that an r.e. program is a Turing machine enumerating a set CS () of seqs. If is an r.e. program, we de ne mA () def =
[
2CS ()
mA ():
Thus, the meaning of is de ned to be the union of the meanings of the seqs in CS (). The meaning mA () of a seq is determined by the meanings of atomic programs and tests and the sequential composition operator. There is an interesting point here regarding the translation of programs using other programming constructs into r.e. programs. This can be done for arrays and stacks (for Booleans stacks, even into r.e. programs with bounded memory), but not for wildcard assignment. Since later in the book we shall be referring to the r.e. set of seqs associated with such programs, it is important to be able to carry out this translation. To see how this is done for the case of arrays, for example, consider an algorithm for simulating the execution of a program by generating only ordinary assignments and tests. It does not generate an array assignment of the form F (t1 ; : : : ; tn ) := t, but rather \remembers" it and when it reaches an assignment of the form x := F (t1 ; : : : ; tn ) it will aim at generating x := t instead. This requires care, since we must keep track of changes in the variables inside t and t1 ; : : : ; tn and incorporate them into the generated assignments. We leave the details to the reader (Exercises 11.5{11.7).
MIT Press Math7X9/2000/06/30:10:36 Page 297
First-Order Dynamic Logic
297
Formulas
Here are the semantic de nitions for the constructs of formulas of DL. The reader is referred to Section 3.4 for the semantic de nitions of atomic rst-order formulas. mA (0) def = ? (11.3.4) def mA (' ! ) = fu j if u 2 mA (') then u 2 mA ( )g (11.3.5) def mA (8x ') = fu j 8a 2 A u[x=a] 2 mA (')g (11.3.6) def mA ([]') = fu j 8v if (u; v) 2 mA () then v 2 mA (')g: (11.3.7) Equivalently, we could de ne the rst-order quanti ers 8 and 9 in terms of the wildcard assignment: 8x ' $ [x := ?]' (11.3.8) 9x ' $ <x := ?>': (11.3.9) Note that for deterministic programs (for example, those obtained by using the while programming language instead of regular programs and disallowing wildcard assignments), mA () is a partial function from states to states; that is, for every state u, there is at most one v such that (u; v) 2 mA (). The partiality of the function arises from the possibility that may not halt when started in certain states. For example, mA (while 1 do skip) is the empty relation. In general, the relation mA () need not be single-valued. If K is a given set of syntactic constructs, we refer to the version of Dynamic Logic with programs built from these constructs as Dynamic Logic with K or simply as DL(K ). Thus, we have DL(r.e.), DL(array), DL(stk), DL(bstk), DL(wild), and so on. As a default, these logics are the poor-test versions, in which only quanti er-free rst-order formulas may appear as tests. The unadorned DL is used to abbreviate DL(reg), and we use DL(dreg) to denote DL with while programs, which are really deterministic regular programs. Again, while programs use only poor tests. Combinations such as DL(dreg+wild) are also allowed.
11.4 Satis ability and Validity The concepts of satis ability, validity, etc. are de ned as for PDL in Chapter 5 or as for rst-order logic in Section 3.4. Let A = (A; mA ) be a structure, and let u be a state in S A . For a formula ', we write A; u ' if u 2 mA (') and say that u satis es ' in A. We sometimes write u ' when A is understood. We say that ' is A-valid and write A ' if A; u '
MIT Press Math7X9/2000/06/30:10:36 Page 298
298
Chapter 11
for all u in A. We say that ' is valid and write ' if A ' for all A. We say that ' is satis able if A; u ' for some A; u. For a set of formulas , we write A if A ' for all ' 2 . Informally, A; u []' i every terminating computation of starting in state u terminates in a state satisfying ', and A; u <>' i there exists a computation of starting in state u and terminating in a state satisfying '. For a pure rst-order formula ', the metastatement A; u ' has the same meaning as in rst-order logic (Section 3.4).
11.5 Bibliographical Notes First-order DL was de ned in Harel et al. (1977), where it was also rst named Dynamic Logic. That paper was carried out as a direct continuation of the original work of Pratt (1976). Many variants of DL were de ned in Harel (1979). In particular, DL(stk) is very close to the context-free Dynamic Logic investigated there.
Exercises 11.1. Show that in the presence of the Boolean stack operations push-1, push-0, pop, and top?, there is no need for a Boolean stack operation that tests whether the top element is 0. 11.2. Show how to write the recursive procedure appearing in Section 9.1 using a Boolean stack. 11.3. Show that a test for stack emptiness is redundant in DL with an algebraic stack. 11.4. Prove that the meaning of a regular program is the same as the meaning of the corresponding (regular) r.e. program. 11.5. Show how to translate any regular program with array assignments into an r.e. set of seqs with simple assignments only. 11.6. Show how to translate any regular program with an algebraic stack into an r.e. set of seqs with simple assignments only.
MIT Press Math7X9/2000/06/30:10:36 Page 299
First-Order Dynamic Logic
299
11.7. Show how to translate any regular program with a Boolean stack into a bounded-memory r.e. set of seqs with simple assignments only. 11.8. De ne DL with integer counters. Show how to translate this logic into bounded-memory DL(r.e.). 11.9. Prove the equivalences (11.3.8) and (11.3.9) for relating wildcard assignment to quanti cation.
MIT Press Math7X9/2000/06/30:10:36 P age 300
MIT Press Math7X9/2000/06/30:10:36 Page 301
12 Relationships with Static Logics Reasoning in rst-order Dynamic Logic can take two forms: uninterpreted and interpreted. The former involves properties expressible in the logic that are independent of the domain of interpretation. The latter involves the use of the logic to reason about computation over a particular domain or a limited class of domains. In this chapter we discuss these two levels of reasoning and the relationships they engender between DL and classical static logics.
12.1 The Uninterpreted Level Uninterpreted Reasoning: Schematology In contrast to the propositional version PDL discussed in Part II, DL formulas involve variables, functions, predicates, and quanti ers, a state is a mapping from variables to values in some domain, and atomic programs are assignment statements. To give semantic meaning to these constructs requires a rst-order structure A over which to interpret the function and predicate symbols. Nevertheless, we are not obliged to assume anything special about A or the nature of the interpretations of the function and predicate symbols, except as dictated by rst-order semantics. Any conclusions we draw from this level of reasoning will be valid under all possible interpretations. Uninterpreted reasoning refers to this style of reasoning. For example, the formula
p(f (x); g(y; f (x))) !
:= f (x)>p(z; g(y; z )) is true over any domain, irrespective of the interpretations of p, f , and g. Another example of a valid formula is
z = y ^ 8x f (g(x)) = x ! [while p(y) do y := g(y)]<while y 6= z do y := f (y)>1: Note the use of [ ] applied to < >. This formula asserts that under the assumption that f \undoes" g, any computation consisting of applying g some number of times to z can be backtracked to the original z by applying f some number of times to the result. This level of reasoning is the most appropriate for comparing features of programming languages, since we wish such comparisons not to be in uenced by the coding capabilities of a particular domain of interpretation. For example, if we aban-
MIT Press Math7X9/2000/06/30:10:36 Page 302
302
Chapter 12
don the uninterpreted level and assume the xed domain N of the natural numbers with zero, addition and multiplication, all reasonable programming languages are equivalent in computation power|they all compute exactly the partial recursive functions. In contrast, on the uninterpreted level, it can be shown that recursion is a strictly more powerful programming construct than iteration. Research comparing the expressive power of programming languages on the uninterpreted level is sometimes called schematology , and uninterpreted programs are often called program schemes . As an example, let us consider regular programs and nondeterministic while programs. The former are as powerful as the latter, since every while program is obviously regular, as can be seen by recalling the de nitions from Section 11.1:
if ' then else def = ('?; ) [ (:'?; ) def while ' do = ('?; ) ; :'?:
Conversely, over any structure, nondeterministic while programs are as powerful as regular programs (Exercise 12.2). We de ne our logics using the regular operators since they are simpler to manipulate in mathematical arguments, but the while program operators are more natural for expressing algorithms. If we do not allow nondeterminism in while programs, the situation is dierent. We show in Chapter 15 that DL with deterministic while programs is strictly less expressive than DL with regular programs when considered over all structures. However, over N they are equivalent (Theorem 12.6).
Failure of Classical Theorems
We now show that three basic properties of classical (uninterpreted) rst-order logic, the Lowenheim{Skolem theorem, completeness, and compactness, fail for even fairly weak versions of DL. The Lowenheim{Skolem theorem (Theorem 3.59) states that if a formula ' has an in nite model then it has models of all in nite cardinalities. Because of this theorem, classical rst-order logic cannot de ne the structure of elementary arithmetic N = (!; +; ; 0; 1; =) up to isomorphism. That is, there is no rst-order sentence that is true in a structure A if and only if A is isomorphic to N . However, this can be done in DL. Proposition 12.1:
isomorphism.
There exists a formula N of DL(dreg) that de nes N up to
MIT Press Math7X9/2000/06/30:10:36 Page 303
Relationships with Static Logics
303
Proof Take as N the conjunction of the following six rst-order formulas:
8x x + 1 6= 0 8x 8y x + 1 = y + 1 ! x = y 8x x + 0 = x 8x 8y x + (y + 1) = (x + y) + 1 8x x 0 = 0 8x 8y x (y + 1) = (x y) + x,
plus the DL(dreg) formula 8x
(12.1.1)
The sentence (12.1.1) says that the program inside the diamond halts for all
x; in other words, every element of the structure is obtained from 0 by adding 1
a nite number of times. This is inexpressible in rst-order logic. A side eect of (12.1.1) is that we may use the induction principle in all models of N. The rst two of the above rst-order formulas imply that every model of N is in nite. The remaining rst-order formulas are the inductive de nitions of addition and multiplication. It follows that every model of N is isomorphic to N . The Lowenheim{Skolem theorem does not hold for DL, because N has an in nite model (namely N ), but all models are isomorphic to N and are therefore countable. Besides the Lowenheim{Skolem Theorem, compactness fails in DL as well. Consider the following countable set ; of formulas:
f<while p(x) do x := f (x)>1g [ fp(f n(x)) j n 0g: It is easy to see that ; is not satis able, but it is nitely satis able, i.e. each nite subset of it is satis able. Worst of all, completeness cannot hold for any deductive system as we normally think of it (a nite eective system of axioms schemes and nitary inference rules). The set of theorems of such a system would be r.e., since they could be enumerated by writing down the axioms and systematically applying the rules of inference in all possible ways. However, the set of valid statements of DL is not r.e. (Exercise 12.1). In fact, we will show in Chapter 13 exactly how bad the situation is. This is not to say that we cannot say anything meaningful about proofs and deduction in DL. On the contrary, there is a wealth of interesting and practical results on axiom systems for DL that we will cover in Chapter 14.
MIT Press Math7X9/2000/06/30:10:36 Page 304
304
Chapter 12
Expressive Power In this section we investigate the power of DL relative to classical static logics on the uninterpreted level. In particular, we will introduce rich test DL of r.e. programs and show that it is equivalent to the in nitary language L!1ck! . Some consequences of this fact are drawn in later sections. First we introduce a de nition that allows to compare dierent variants of DL. Let us recall from Section 11.3 that a state is initial if it diers from a constant state wa only at the values of individual variables. If DL1 and DL2 are two variants of DL over the same vocabulary, we say that DL2 is as expressive as DL1 and write DL1 DL2 if for each formula ' in DL1 there is a formula in DL2 such that A; u ' $ for all structures A and initial states u. If DL2 is as expressive as DL1 but DL1 is not as expressive as DL2 , we say that DL2 is strictly more expressive than DL1 , and write DL1 < DL2 . If DL2 is as expressive as DL1 and DL1 is as expressive as DL2 , we say that DL1 and DL2 are of equal expressive power, or are simply equivalent, and write DL1 DL2 . We will also use these notions for comparing versions of DL with static logics such as L!! . There is a technical reason for the restriction to initial states in the above de nition. If DL1 and DL2 have access to dierent sets of data types, then they may be trivially incomparable for uninteresting reasons, unless we are careful to limit the states on which they are compared. We shall see examples of this in Chapter 15. Also, in the de nition of DL(K ) given in Section 11.4, the programming language K is an explicit parameter. Actually, the particular rst-order vocabulary over which DL(K ) and K are considered should be treated as a parameter too. It turns out that the relative expressiveness of versions of DL is sensitive not only to K , but also to . This second parameter is often ignored in the literature, creating a source of potential misinterpretation of the results. For now, we assume a xed rst-order vocabulary .
Rich Test Dynamic Logic of R.E. Programs
We are about to introduce the most general version of DL we will ever consider. This logic is called rich test Dynamic Logic of r.e. programs , and it will be denoted DL(rich-test r.e.). Programs of DL(rich-test r.e.) are r.e. sets of seqs as de ned in Section 11.2, except that the seqs may contain tests '? for any previously constructed formula '. The formal de nition is inductive. All atomic programs are programs and all atomic formulas are formulas. If '; are formulas, ; are programs, fn j n 2 !g
MIT Press Math7X9/2000/06/30:10:36 Page 305
Relationships with Static Logics
305
is an r.e. set of programs over a nite set of variables (free or bound), and x is a variable, then
0
'! []' 8x '
are formulas and
; fn j n 2 !g '? are programs. The set CS () of computation sequences of a rich test r.e. program is de ned as usual. Recall from Section 3.6 that L!1! is the language with the formation rules of the rst-order V languageWL!! , but in which countably in nite conjunctions and disjunctions i2I 'i and i2I 'i are also allowed. In addition, if f'i j i 2 I g is recursively enumerable, then the resulting language is denoted L!1ck ! and is sometimes called constructive L!1! . Proposition 12.2:
DL(rich-test r.e.) L!1ck! .
Proof In the translations below, ' ranges over L!1ck! formulas, ranges over DL(rich-test r.e.) formulas, and ranges over rich test r.e. programs. The translation from L!1ck! to DL(rich-test r.e.) is obtained via the mapping . The main clause of its de nition is given below. Recall that :' stands for ' ! 0 and <>' stands for :[]:'.
_ ( 'i ) def = i2I
f('i )? j i 2 I g>1:
<
The reverse translation is obtained via a mapping with the help of a mapping ( ) that tranforms L!1ck! formulas into L!1ck! formulas. Here is an arbitrary rich test r.e. program. The main clause of the de nition of is
(<> ) def = ( ) ;
MIT Press Math7X9/2000/06/30:10:36 Page 306
306
Chapter 12
and the main de ning clauses for ( ) are as follows:
'x:=t def = '[x=t] def ' ; = (' ) _ 'fn jn2!g def = 'n '
?
def
n2!
= ' ^ ( ):
Since r.e. programs as de ned in Section 11.2 are clearly a special case of general rich-test r.e. programs, it follows that DL(rich-test r.e.) is as expressive as DL(r.e.). In fact they are not of the same expressive power. Theorem 12.3:
DL(r.e.) < DL(rich-test r.e.).
Proof sketch. One can use an Ehrenfeucht{Frasse argument to show that DL(r.e.) cannot distinguish between the recursive ordinals !! and !! 2, whereas any recursive ordinal can be de ned by a formula of DL(rich-test r.e.) up to isomorphism. Details can be found in Meyer and Parikh (1981). Henceforth, we shall assume that the rst-order vocabulary contains at least one function symbol of positive arity. Under this assumption, DL can easily be shown to be strictly more expressive than L!! : Theorem 12.4:
L!! < DL.
Proof In Section 12.1 we saw how to construct an in nite model for that is uniquely de nable in DL up to isomorphism. By the upward Lowenheim{Skolem theorem, this is impossible in L!! . Corollary 12.5:
L!! < DL DL(r.e.) < DL(rich-test r.e.) L!1ck! : The situation with the intermediate versions of DL, e.g. DL(stk), DL(bstk), DL(wild), etc., is of interest. We deal with the relative expressive power of these in Chapter 15, where we also show that the second inequality in Corollary 12.5 is strict.
MIT Press Math7X9/2000/06/30:10:36 Page 307
Relationships with Static Logics
307
12.2 The Interpreted Level Interpreted Reasoning: Arithmetical Structures This is the most detailed level we will consider. It is the closest to the actual process of reasoning about concrete, fully speci ed programs. Syntactically, the programs and formulas are as on the uninterpreted level, but here we assume a xed structure or class of structures. In this framework, we can study programs whose computational behavior depends on (sometimes deep) properties of the particular structures over which they are interpreted. In fact, almost any task of verifying the correctness of an actual program falls under the heading of interpreted reasoning. One speci c structure we will look at carefully is the natural numbers with the usual arithemetic operations: N = (!; 0; 1; +; ; =): Let ; denote the ( rst-order-de nable) operation of subtraction and let gcd(x; y) denote the rst-order-de nable operation giving the greatest common divisor of x and y. The following formula of DL is N -valid, i.e., true in all states of N : x = x0 ^ y = y0 ^ xy 1 ! <>(x = gcd(x0 ; y0 )) (12.2.1) where is the while program of Example 4.1 or the regular program (x 6= y?; ((x > y?; x := x ; y) [ (x < y?; y := y ; x))) x = y?: Formula (12.2.1) states the correctness and termination of an actual program over N computing the greatest common divisor. As another example, consider the following formula over N : 8x 1 <(if even(x) then x := x=2 else x := 3x + 1) >(x = 1): Here = denotes integer division, and even( ) is the relation that tests if its argument is even. Both of these are rst-order de nable. This innocent-looking formula asserts that starting with an arbitrary positive integer and repeating the following two operations, we will eventually reach 1: if the number is even, divide it by 2; if the number is odd, triple it and add 1. The truth of this formula is as yet unknown, and it constitutes a problem in number theory (dubbed \the 3x + 1 problem") that has been open for over 60 years. The
MIT Press Math7X9/2000/06/30:10:36 Page 308
308
Chapter 12
formula 8x 1 <>1, where is
while x 6= 1 do if even(x) then x := x=2 else x := 3x + 1; says this in a slightly dierent way. The speci c structure N can be generalized, resulting in the class of arithmetical structures . We shall not give a full de nition here. Brie y, a structure A is arithmetical if it contains a rst-order-de nable copy of N and has rst-order de nable functions for coding nite sequences of elements of A into single elements and for the corresponding decoding. Arithmetical structures are important because (i) most structures arising naturally in computer science (e.g., discrete structures with recursively de ned data types) are arithmetical, and (ii) any structure can be extended to an arithmetical one by adding appropriate encoding and decoding capabilities. While most of the results we present for the interpreted level are given in terms of N alone, many of them hold for any arithmetical structure, so their signi cance is greater.
Expressive Power over N The results of Section 12.1 establishing that
L!! < DL DL(r.e.) < DL(rich-test r.e.) were on the uninterpreted level, where all structures are taken into account.1 Thus rst-order logic, regular DL, and DL(rich-test r.e.) form a sequence of increasingly more powerful logics when interpreted uniformly over all structures. What happens if one xes a structure, say N ? Do these dierences in expressive power still hold? We now address these questions. First, we introduce notation for comparing expressive power over N . If DL1 and DL2 are variants of DL (or static logics, such as L!! ) and are de ned over the vocabulary of N , we write DL1 N DL2 if for each ' 2 DL1 there is 2 DL2 such that N ' $ . We de ne
L!! N DL N DL(r.e.).
1 As mentioned, the second inequality is also strict.
MIT Press Math7X9/2000/06/30:10:36 Page 309
Relationships with Static Logics
309
Proof The direction of both equivalences is trivial. For the other direction, we sketch the construction of a rst-order formula 'L for each ' 2 DL(r.e.) such that N ' $ 'L . The construction of 'L is carried out by induction on the structure of '. The only nontrivial case is for ' of the form [] . For a formula of this form, suppose L has been constructed. Let FV () fx1 ; : : : ; xk g for some k 0. Consider the set of seqs over the vocabulary of arithmetic such that FV () fx1 ; : : : ; xk g. Every such is a nite expression, therefore can be encoded as a natural number pq. Now consider the set
R def = f(pq; n1; : : : ; nk ; m1 ; : : : ; mk ) 2 N 2k+1 j (n; m) 2 mN()g; where n is the state that assigns ni to xi for 1 i k and 0 to the remaining variables. The state m is de ned similarly. Clearly R is a recursive set and there is rst-order formula (y; x1 ; : : : ; xk ; z1 ; : : : ; zk ) that de nes R in N . We can assume that the variables y; z1; : : : ; zk do not occur in L . Let ' (y) be a formula de ning the set fpq j 2 CS ()g. The desired formula 'L is
8y 8z1 : : : 8zk (' (y) ^ (y; x1 ; : : : ; xk ; z1; : : : ; zk ) !
L [x1 =z1 ; : : : ; xk =zk ]):
The remaining cases we leave as an exercise (Exercise 12.5). The signi cance of this result is that in principle, one can carry out all reasoning about programs interpreted over N in the rst-order logic L!! by translating each DL formula into a rst-order equivalent. The translation is eective, as this proof shows. Moreover, Theorem 12.6 holds for any arithmetical structure containing the requisite coding power. As mentioned earlier, every structure can be extended to an arithmetical one. However, the translation of Theorem 12.6 produces unwieldly formulas having little resemblance to the original ones. This mechanism is thus somewhat unnatural and does not correspond closely to the type of arguments one would nd in practical program verication. In Section 14.2, a remedy is provided that makes the process more orderly. We now show that over N , DL(rich-test r.e.) has considerably more power than the equivalent logics of Theorem 12.6. This too is true for any arithmetical structure. Theorem 12.7:
metic) sets.
Over N , DL(rich-test r.e.) de nes precisely the 11 (hyperarith-
MIT Press Math7X9/2000/06/30:10:36 Page 310
310
Chapter 12
Proof We will show in Theorem 13.6 that the set f 2 DL(rich-test r.e.) j N g (12.2.2) is hyperarithmetic. Any DL(rich-test r.e.)-de nable set f(a1 ; : : : ; an ) j N '[x1 =a1 ; : : : ; xn =an]g (12.2.3) de ned by a DL(rich-test r.e.) formula ' with free variables x1 ; : : : ; xn reduces by simple substitution2 to (12.2.2). The set (12.2.3) is therefore hyperarithmetic. For the other direction, we use the characterization of 11 as the subsets of N de ned by total IND programs; equivalently, by IND programs that always halt within \time" bounded by a recursive ordinal. This generalized notion of time is de ned formally by the ordinal mapping ord : T ! Ord on recursive well-founded trees as discussed in Section 2.2. The time of a halting IND computation is the ordinal associated with the root of the computation tree. Given an IND program over N with program variables x1 ; : : : ; xn and a recursive ordinal represented by a well-founded recursive tree T ! as described in Section 2.2, we de ne a family of DL(rich-test r.e.) formulas 'w` with free variables x1 ; : : : ; xn , where w 2 T and ` is a statement label of . The formula 'w` [x1 =a1 ; : : : ; xn =an] says that halts and accepts in at most ord(w) steps when started at statement ` in a state in which xi has value ai , 1 i n. The de nition of 'w` is inductive on the well-founded tree T . In the following de nition, c(`) refers to the continuation of statement ` in ; that is, the rst statement of if ` is the last statement, otherwise the statement immediately following `. The formulas 'w` are de ned as follows. If ` is the statement xi := 9, de ne
'w` def =
2 We assume the coding scheme for DL(rich-test r.e.) formulas has been designed to permit eective identi cation of and substitution for free variables.
MIT Press Math7X9/2000/06/30:10:36 Page 311
Relationships with Static Logics
311
Theorem 12.6 says that over N , the languages DL and DL(r.e.) each de ne precisely the arithmetic ( rst-order de nable) sets, and Theorem 12.7 says that DL(rich-test r.e.) de nes precisely the hyperarithmetic or 11 sets. Since the inclusion between these classes is strict|for example, rst-order number theory is hyperarithmetic but not arithmetic|we have Corollary 12.8:
DL(r.e.)
12.3 Bibliographical Notes Uninterpreted reasoning in the form of program schematology has been a common activity ever since the work of Ianov (1960). It was given considerable impetus by the work of Luckham et al. (1970) and Paterson and Hewitt (1970); see also Greibach (1975). The study of the correctness of interpreted programs goes back to the work of Turing and von Neumann, but seems to have become a well-de ned area of research following Floyd (1967), Hoare (1969) and Manna (1974). Embedding logics of programs in L!1! is based on observations of Engeler (1967). Theorem 12.3 is from Meyer and Parikh (1981). Theorem 12.6 is from Harel (1979) (see also Harel (1984) and Harel and Kozen (1984)); it is similar to the expressiveness result of Cook (1978). Theorem 12.7 and Corollary 12.8 are from Harel and Kozen (1984). Arithmetical structures were rst de ned by Moschovakis (1974) under the name acceptable structures . In the context of logics of programs, they were reintroduced and studied in Harel (1979).
Exercises 12.1. Consider DL with deterministic while programs over the rst-order vocabulary of N . Show that the set of valid DL formulas over this vocabulary is not recursively enumerable. (Hint. Using the formula N de ned in Section 12.1 that de nes the natural numbers up to isomorphism, show that if the set of valid DL formulas were r.e., then so would be the set of formulas true in N , thus contradicting Godel's incompleteness theorem.) 12.2. Show that nondeterministic while programs and regular programs are equivalent over any structure.
MIT Press Math7X9/2000/06/30:10:36 Page 312
312
Chapter 12
12.3. Show that in the uninterpreted sense, allowing only atomic formulas instead of all quanti er-free formulas as tests does not diminish the expressive power of DL. 12.4. Argue by induction on the well-founded recursive tree T that the construction of the DL(rich-test r.e.) formulas 'w` in the proof of Theorem 12.7 is correct. 12.5. Fill in the missing cases in the proof of Theorem 12.6. 12.6. Give a precise de nition of an arithmetical structure. Let L1 A L2 denote relative expressibility in arithmetical structures; that is, L1 A L2 holds if for any arithmetical structure A and any formula ' in L1 , there is a formula in L2 such that A ' $ . De ne L1 A L2 accordingly. Show that Theorem 12.6 holds for arithmetical structures; that is, L!! A DL A DL(r.e.):
MIT Press Math7X9/2000/06/30:10:36 Page 313
13 Complexity This chapter addresses the complexity of rst-order Dynamic Logic. Section 13.1 discusses the diculty of establishing validity in DL. As in Chapter 12, we divide the question into uninterpreted and interpreted versions. On the uninterpreted level, we deal with the complexity of deciding validity of a given formula of an arbitrary signature over all interpretations for that signature. On the interpreted level, we are interested in the truth in N of a number-theoretic DL formula or validity over arithmetical structures. In Section 13.2 we turn our attention to some of the programming languages de ned in Chapter 11 and analyze their spectral complexity, a notion that measures the diculty of the halting problem over nite structures. Spectral complexity will become useful in comparing the expressive power of variants of DL in Chapter 15.
13.1 The Validity Problem Since all versions of DL subsume rst-order logic, truth can be no easier to establish than in L!! . Also, since DL(r.e.) is subsumed by L!1ck! , truth will be no harder to establish than in L!1ck! . These bounds hold for both uninterpreted and interpreted levels of reasoning.
The Uninterpreted Level: Validity In this section we discuss the complexity of the validity problem for DL. By the remarks above and Theorems 3.60 and 3.67, this problem is between 01 and 11 . That is, as a lower bound it is undecidable and can be no better than recursively enumerable, and as an upper bound it is in 11 . This is a rather large gap, so we are still interested in determining more precise complexity bounds for DL and its variants. An interesting related question is whether there is some nontrivial1 fragment of DL that is in 01 , since this would allow a complete axiomatization. In the following, we consider these questions for full DL(reg), but we also consider two important subclasses of formulas for which better upper bounds are derivable: partial correctness assertions of the form ! []', and termination or total correctness assertions of the form ! <>', 1 Nontrivial here means containing L!! and allowing programs with iteration. The reason for this requirement is that loop-free programs add no expressive power over rst-order logic.
MIT Press Math7X9/2000/06/30:10:36 Page 314
314
Chapter 13
where ' and are rst-order formulas. The results are stated for regular programs, but they remain true for the more powerful programming languages too. They also hold for deterministic while programs (Exercises 13.3 and 13.4). We state the results without mentioning the underlying rst-order vocabulary . For the upper bounds this is irrelevant. For the lower bounds, we assume the contains a unary function symbol and ternary predicate symbols to accommodate the proofs. The validity problem for DL is 11 -hard, even for formulas of the form 9x []', where is a regular program and ' is rst-order. Theorem 13.1:
Proof For convenience, we phrase the proof in terms of satis ablity instead of validity, carrying out a reduction from the 11 -complete tiling problem of Proposition 2.22: Given a nite set T of tile types, can the in nite ! ! grid with blue south and west boundaries be tiled so that the color red occurs in nitely often? We will adapt the encoding of Theorem 3.67 to our needs. Let us recall that the vocabulary contains one constant symbol a, one unary function symbol f , and four ternary relation symbols South, North, West and East. As in the proof of Theorem 3.67, de ne the formula red(x; y)
def ()
North(x; y; f red(a)) _ South(x; y; f red(a)) _ East(x; y; f red(a)) _ West(x; y; f red(a));
which says intuitively that the tile at position x; y has a red side. Let T be the conjunction of the ve formulas (3.4.3){(3.4.7) used in the proof of Theorem 3.60 and the formula 8x
MIT Press Math7X9/2000/06/30:10:36 Page 315
Complexity
315
The validity problem for DL and DL(rich-test r.e.), as well as all intermediate versions, is 11 -complete. Theorem 13.2:
To soften the negative avor of these results, we now show that the special cases of unquanti ed one-program DL(r.e.) formulas have easier validity problems (though, as mentioned, they are still undecidable). We rst need a lemma. For every r.e. program and for every rst-order formula ', there exists an r.e. set f' j 2 CS ()g of rst-order formulas such that Lemma 13.3:
j= []' $
^
2CS ()
' :
Proof For every seq , we de ne a mapping ( ) that transforms rst-order formulas into rst-order formulas as follows:2 '" def = '; where " is the null seq; def 'x:=t ; = ' [x=t]; ' ? ; def = ! ' : Veri cation of the conclusion of the lemma is left to the reader.
The validity problem for the sublanguage of DL(r.e.) consisting of formulas of the form <>', where ' is rst-order and is an r.e. program, is 01 -complete. Theorem 13.4:
Proof It suces to show that the problem is in 01 , since the Wsublanguage L!! is already 01 -complete. By Lemma 13.3, <>' is equivalent to 2CS () ' , and all the ' are rst-order. By the compactness of rst-orderWlogic, there is some nite subset ; f' j 2 CS ()g such that <>' i ;. Each such nite disjunction is a rst-order formula, hence the nite subsets ; can be generated and checked for validity in a recursively enumerable manner. It is easy to see that the result holds for formulas of the form ! <>', where is also rst-order (Exercise 13.1). Thus, termination assertions for nondeterministic programs with rst-order tests (or total correctness assertions for deterministic programs), on the uninterpreted level of reasoning, are recursively enumerable and 2 The reader may wish to compare this mapping with the mapping de ned in the proof of Proposition 12.2.
MIT Press Math7X9/2000/06/30:10:36 Page 316
316
Chapter 13
therefore axiomatizable. We shall give an explicit axiomatization in Chapter 14. We now turn to partial correctness. The validity problem for the sublanguage of DL(r.e.) consisting of formulas of the form []', where ' is rst-order and is an r.e. program, is 02 -complete. The 02 -completeness property holds even if we restrict to range over deterministic while programs. Theorem 13.5:
Proof For the upper bound, we have by Lemma 13.3 that []' i V 2CS () ' . It follows that the validity of the latter is co-r.e. in the r.e. problem of validity of rst-order formulas, hence it is in 02 . For the lower bound, we carry out a reduction (to the dual satis ability problem) from the 02 -complete tiling problem of Proposition 2.21. Let us recall that this problem calls for a nite set T of tile types to tile the positive quadrant of the integer grid in such a way that the colors on the south boundary form a nite sequence of colors followed by an in nite sequence of blue. For our encoding, we again adapt the proof of Theorem 3.60. We use the notation from that proof. We take T0 to be the conjunction of the clauses (3.4.3), (3.4.6), and (3.4.7) used in the proof of Theorem 3.60 together with the clause
8x South(x; a; f blue(a)) !
South(f (x); a; f blue(a)):
This clause expresses the property that the color blue, when occurring on the south boundary, remains there from the rst occurrence on. Now we can combine T0 with the requirement that blue actually occurs on the south boundary to obtain the formula T
def
=
<x := a;
while :South(x; a; f blue(a)) do x := f (x)> T0 :
The claim is that T is satis able i T can tile the grid with the additional constraint on the colors of south boundary. We leave the veri cation of this claim to the reader. Theorem 13.5 extends easily to partial correctness assertions; that is, to formulas of the form ! []', where is also rst-order (Exercise 13.2). Thus, while 02 is obviously better than 11 , it is noteworthy that on the uninterpreted level of reasoning, the truth of even simple correctness assertions for simple programs is not r.e., so that no nitary complete axiomatization for such validities can be given.
MIT Press Math7X9/2000/06/30:10:36 Page 317
Complexity
317
The Interpreted Level: Validity over N The characterizations of the various versions of DL in terms of classical static logics established in Section 12.2 provide us with the precise complexity of the validity problem over N . The N -validity problem for DL(dreg) and DL(rich-test r.e.), as well as all intermediate versions, when de ned over the vocabulary of N , is hyperarithmetic (11 ) but not arithmetic. Theorem 13.6:
Proof Let
X def = f' 2 DL(rich-test r.e.) j N j= 'g: Let N be the DL(dreg) formula that de nes N up to isomorphism (see Proposition 12.1). Since for every ' 2 DL(rich-test r.e.) we have
' 2 X () j= N ! '; by Theorem 13.2 we have that X is in 11 . On the other hand, since for every sentence ' we have ' 62 X i :' 2 X , it follows that X is also in 11 , hence it is in 11 . That N -validity for any of the intermediate versions is not arithmetic follows from the fact that the rst-order theory of N is already not arithmetic.
13.2 Spectral Complexity We now introduce the spectral complexity of a programming language. As mentioned, this notion provides a measure of the complexity of the halting problem for programs over nite interpretations. Recall that a state is a nite variant of a constant valuation wa for some a 2 A (see Section 11.3), and a state w is initial if it diers from wa for individual variables only. Thus, an initial state can be uniquely de ned by specifying its relevant portion of values on individual variables. For m 2 N , we call an initial state w an m-state if for some a 2 A and for all i m, w(xi ) = a. An m-state can be speci ed by an (m + 1)-tuple of values (a0 ; : : : ; am ) that represent values of w for the rst m + 1 individual variables x0 ; : : : ; xm . Call an m-state w = (a0 ; : : : ; am) Herbrand-like if the set fa0; : : : ; am g generates A; that is, if every element of A can be obtained as a value of a term in the state w.
MIT Press Math7X9/2000/06/30:10:36 Page 318
318
Chapter 13
Coding Finite Structures Let be a nite rst-order vocabulary, and assume that the symbols of are linearly ordered as follows. Function symbols are smaller in the order than predicate symbols. Function symbols are ordered according to arity; that is, symbols of smaller arity are smaller than symbols of larger arity. Function symbols of the same arity are ordered in an arbitrary but xed way. Predicate symbols are ordered similarly. Let A be a structure for . We de ne a natural chain in A as a particular way of linearly ordering all elements in the substructure of A generated by the empty set. A natural chain is a partial function CA : N ! A de ned for k 2 N as follows: 8 f A (C (i ); : : : ; C (i )); if (i; i ; : : : ; i ) is the rst vector in lexiA n 1 n > i A 1 > > cographic order such that fi is an n-ary > > > < function symbol in , i1 ; : : : ; in < k, CA (k) def = > and fiA (CA (i1 ); : : : ; CA (in )) 62 fCA (j ) j > > j < kg; > > > : unde ned, otherwise. Observe that if has no constant symbols, then CA = ?. From now on, we assume that has at least one constant symbol. Let be a rst-order vocabulary and let c0 ; : : : ; cm be symbols not occurring in . An expanded vocabulary [fc0 ; : : : ; cm g is obtained from by adding c0 ; : : : ; cm as constant symbols. If the symbols of were linearly ordered in some way, then assuming a linear order on the new constants, the symbols of [ fc0; : : : ; cm g are ordered as in , except that the new constants come just after the old constants and before the function symbols of . Let 0 = [ fc0 ; : : : ; cm g. For every -structure A and for every m-state w = (a0 ; : : : ; am ) in A, we expand A into a 0 -structure Aw by interpreting each ci by ai and leaving the interpretation of the old symbols unchanged. The next result shows that the natural chain in Aw can be uniformly computed by a deterministic program with an algebraic stack. Proposition 13.7: For every m > 0, there exists a deterministic program Nextm with an algebraic stack such that for every -structure A, m-state w in A,
and b 2 A, A; w[xm+1 =b]
MIT Press Math7X9/2000/06/30:10:36 Page 319
Complexity
319
Proof Following the recursive de nition of CA , it is easy to write a recursive procedure that computes the successor of b 2 A with respect to the natural chain in Aw . This procedure is further translated into the desired deterministic program with an algebraic stack (see Section 11.2).
It follows that for every structure A and input w that is an m-state, there is a canonical way of computing a successor function on the elements generated by the input. Proposition 13.8: Let A1 and A2 be -structures on the same carrier generated
by the empty set (that is, every element is named by a ground term), and assume that CA1 = CA2 . Then A1 and A2 are isomorphic i A1 = A2 .
Proof Let f : A1 ! A2 be an isomorphism. One proves by a straightforward induction on k in the domain of CA1 that f (CA1 (k)) = CA2 (k). Thus f is the identity and A1 = A2 .
Let be a rst-order vocabulary. Recall that we assume that contains at least one function symbol of positive arity. In this section we actually assume that is rich ; that is, either it contains at least one predicate symbol3 or the sum of arities of the function symbols is at least two. Examples of rich vocabularies are: two unary function symbols, or one binary function symbol, or one unary function symbol and one unary predicate symbol. A vocabulary that is not rich will be called poor . Hence a poor vocabulary has just one unary function symbol and possibly some constants, but no relation symbols other than equality. The main dierence between rich and poor vocabularies is that the former admit exponentially many pairwise non-isomorphic structures of a given nite cardinality, whereas the latter admit only polynomially many. In this section we will cover rich vocabularies. The case of poor vocabularies will be covered in the exercises (Exercises 13.9, 13.13, and 13.14). We say that the vocabulary is mono-unary if it contains no function symbols other than a single unary one. It may contain constants and predicate symbols. Let A be a -structure generated by the empty set and let #A = n. Without loss of generality, we can assume that A = f0; 1; : : : ; n ; 1g and that CA (k) = k for all k < n. Every structure can be transformed into one satisfying this property by renaming elements if necessary. Let Sn be the set of all such structures over a xed vocabulary . Clearly, the set Sn depends on the vocabulary . We shall 3 The equality symbol is not counted here.
MIT Press Math7X9/2000/06/30:10:36 Page 320
320
Chapter 13
write SnL when we want to make the dependence on explicit. It follows from Proposition 13.8 that if A; B 2 Sn are dierent, then they are not isomorphic. Also every n-element -structure with no proper substructures is isomorphic to precisely one element of Sn . We encode every element A of Sn by a binary string pAq 2 f0; 1g as follows. All elements of f0; : : : ; n ; 1g are encoded in binary using the same length, blog(n ; 1)c + 1. The code of A consists of concatenating the values of consecutive symbols of in the order in which they occur in , where the values of any function or predicate4 in A are listed for consecutive arguments in lexicographic order with respect to the natural order in f0; : : : ; n ; 1g. It is easy to see that for every A 2 Sn , the length of pAq is polynomial in n.5 Let us illustrate the coding technique with an example. Let A = (f0; 1; 2g; c; f; ), where c is a constant that denotes 1, f is the binary operation of addition modulo 3, and is the linear order 0 1 2. Clearly, A is generated by the empty set. The natural chain in A is 1; 2; 0, thus A 62 S3 . However, A is isomorphic to A0 = (f0; 1; 2g; c0 ; f 0 ; 0 ), where c0 denotes 0, f 0 (x; y) = x + y + 1 (mod 3), and 0 is the linear order 2 0 0 0 1. The natural chain in A0 is 0; 1; 2, therefore A0 2 S3 . In order to help read o the code of A0 , we abbreviate 00 by 0, 01 by 1, and 10 by 2. The code of A0 is given below. Example 13.9:
0 1| 2 0 2{z0 1 0 1 2} 1| 1 0 0{z1 0 1 1 1} code of f 0 code of 0
Spectra We are now ready to de ne the notion of a spectrum of a programming language. Let K be a programming language and let 2 K and m 0. The mth spectrum of is the set
SPm () def
= fpAw q j A is a nite -structure, w is an m-state in A, and A; w <>1g:
The spectrum of K is the set
SP (K ) def = fSPm () j 2 K; m 2 Ng: 4 Truth values of a predicate are represented using the correspondence 0 for 0 and 1 for 1. 5 However, this polynomial depends on .
MIT Press Math7X9/2000/06/30:10:36 Page 321
Complexity
321
Given m 0, observe that structures in Sn[fc0 ;::: ;cm g can be viewed as structures of the form Aw for a certain -structure A and an m-state w in A. This representation is unique. In this section we establish the complexity of spectra; that is, the complexity of the halting problem in nite interpretations. Let us x m 0, a rich vocabulary , and new constants c0 ; : : : ; cm. Since not every binary string is of the form pAq for some -structure A and m-state w in A, we will restrict our attention to strings that are of this form. Let
Hm def = fpAq j A 2 Sn[fc0 ;::: ;cmg for some n 1g: It is easy to show that the language Hm is in LOGSPACE for every vocabulary and m 0. Later, we shall need the following result. Let m 0 and let L be a rich vocabulary. For every language X f0; 1g, there is a language Y Hm such that X log Y log X: Lemma 13.10:
Proof The proof is structured according to the symbols that belong to . Let us consider the case in which contains a unary relation symbol r and a unary function symbol f . The other cases are dealt with similarly, and we leave them to the reader. Let x 2 f0; 1g. We de ne a -structure Bx and an Herbrand-like m-state u. Let n = jxj be the length of x. The carrier of Bx is the set U = f0; 1; : : : ; ng. The interpretation of f in Bx is the successor function modulo n +1. The interpretation of r is as follows. For i 2 U , we let rBx (i) hold i 1 i n and the ith bit in x is 1. All other function symbols, including constants, are interpreted as functions constantly equal to 0. All other relation symbols are interpreted as empty relations. The state u assigns 0 to every variable. We leave it to the reader to show that there is a LOGSPACE -computable function : f0; 1g ! f0; 1g such that (x) = pBx ; uq. Since Bx and By are not isomorphic for x 6= y, it follows that is one-to-one. Let us describe a computation of another function : f0; 1g ! f0; 1g. Given an input y 2 f0; 1g, it checks whether y 2 Hm . If so, it nds the cardinality (in binary) of a structure A whose code is y. It then reads o from the code whether f A is the successor, whether all other operations of A are constantly equal to 0, and whether all relations besides rA are empty. If so, it reads o from the code
MIT Press Math7X9/2000/06/30:10:36 Page 322
322
Chapter 13
of rA the bits of a string x such that pBx ; uq = y. If on any of these tests the machine computing should fail, the computation is aborted and the value of (y) is the empty string. The reader can easily check that is indeed computable by a LOGSPACE transducer and that ((x)) = x for all x 2 f0; 1g; ( (y)) = y for all y 2 (f0; 1g). Given X f0; 1g, let Y = (X ). It follows that establishes the reduction X log Y , while establishes the reduction Y log X . We are now ready to connect complexity classes with spectra. Let K be any programming language and let C 2f0;1g be a family of sets. We say that SP (K ) captures C , denoted SP (K ) C , if SP (K ) C , and for every X 2 C and m 0, if X Hm , then there is a program 2 K such that SPm () = X . For example, if C is the class of all sets recognizable in polynomial time, then SP (K ) P means that the halting problem over nite interpretations for programs from K is decidable in polynomial time, and every polynomial-time-recognizable set of codes of nite interpretations is the spectrum of some program from K . We conclude this section by establishing the spectral complexity of some of the programming languages introduced in Chapter 11. Let be a rich vocabulary. Then (i) SP (dreg) LOGSPACE . (ii) SP (reg) NLOGSPACE . Moreover, if is mono-unary, then SP (dreg) captures LOGSPACE and SP (reg) captures NLOGSPACE . Theorem 13.11:
Proof We rst show (i). Let be a deterministic regular program and let m 0. A deterministic o-line O(log n)-space-bounded Turing machine M that accepts SPm () can be constructed as follows. For a given input string z 2 f0; 1g, it checks
MIT Press Math7X9/2000/06/30:10:36 Page 323
Complexity
323
whether z is the code of an expanded structure Aw 2 Sn[fc0 ;::: ;cmg for some n 1. This can be done in O(log n) space. If so, it starts a simulation of a computation of in A, taking the values given by w as initial values for the registers of . At any stage of the simulation, the current values of the registers of are stored on the work tape of M using their binary representations of length O(log n). The necessary tests and updates of values of the registers of can be read o from the input string z . The machine M halts i halts for (A; w). The proof of (ii) is essentially the same, except that M will be nondeterministic. For the second part of the theorem, assume that is mono-unary. We show that SP (dreg) captures LOGSPACE . The argument for SP (reg) is similar and is omitted. Let X 2 LOGSPACE and X Hm for some m 0. We describe a deterministic regular program such that for every n 1 and every Aw 2 Sn[fc0 ;::: ;cmg , A; w <>1
() pAw q 2 X:
First, let us consider the case in which the carrier of A has only one element. There are only nitely many pairwise nonisomorphic structures over a one-element carrier. They dier only by dierent interpretations of the predicate symbols. Let A1 ; : : : ; Ak all be one-element structures such that pAiw q 2 X . Since Ai has only one element, it follows that w is uniquely determined. The program rst checks whether the structure generated by the input has exactly one element. If so, it checks whether this structure is one of the Ai listed above, in which case it halts. Otherwise it diverges. From now on, we assume that A has more than one element. Let M be a deterministic o-line O(log n)-space-bounded Turing machine that accepts X . Without loss of generality, we can assume that M 's tape alphabet is f0; 1g. Moreover, since the length of the input pAw q for M is polynomial in #A = n, we can assume without loss of generality that the work tape of M has length kblog nc, where k is constant. Hence, the contents of this tape can be stored by in k registers, each holding a value a 2 A whose binary expansion represents the relevant portion of the work tape. In order to store head positions of M , the program uses counters, which are simulated as follows. Since is mono-unary, one can de ne a deterministic regular program that plays the role of the program Nextm of Proposition 13.7. This is the only place where we crucially use the assumption about . Hence, can compute the successor function that counts up to n ; 1 in an n-element structure. Using several registers, can thus count up to a polynomial number of steps.
MIT Press Math7X9/2000/06/30:10:36 Page 324
324
Chapter 13
The bits of the code pAw q can be read o directly from A and the rst m + 1 registers x0 ; : : : ; xm , which store the initial values of w. For this it is enough to have polynomial-size arithmetic on counters, as explained above. Now can simulate the computation of M step by step, updating the contents of M 's work tape and M 's head positions. It halts if and only if M eventually reaches an accepting state. Theorem 13.12:
Over a rich vocabulary , SP (dstk) and SP (stk) capture P .
Proof The proof is very similar to the proof of Theorem 13.11. Instead of mutual simulation with O(log n)-space-bounded Turing machines, we work with Cook's O(log n) auxiliary pushdown automata (APDAs); see Chapter 14 of Hopcroft and Ullman (1979) for the de nition. The pushdown store of the APDA directly simulates the algebraic stack of a regular program. It follows from Cook's theorem (see Theorem 14.1 of Hopcroft and Ullman (1979)) that languages accepted by deterministic/nondeterministic O(log n) APDAs coincide with P . The program Nextm of Proposition 13.7 is used to simulate counters as in the proof of Theorem 13.11. Theorem 13.13:
capture PSPACE .
If is a rich vocabulary, then SP (darray) and SP (array)
Proof Again, the proof is very similar to that of Theorem 13.11. This time we mutually simulate deterministic/nondeterministic regular programs with arrays and deterministic/nondeterministic polynomial space Turing machines. By Savitch's theorem (Hopcroft and Ullman, 1979, Theorem 12.11) it follows that both models of Turing machines accept the same class of languages, namely PSPACE . To simulate counters for the backwards reduction, we need a deterministic regular program with arrays that performs the same function as the program Nextm of Proposition 13.7. The easy details are left to the reader.
13.3 Bibliographical Notes The 11 -completeness of DL was rst proved by Meyer, and Theorem 13.1 appears in Harel et al. (1977). The proof given here is from Harel (1985). Theorem 13.4 is from Meyer and Halpern (1982). That the fragment of DL considered in Theorem 13.5 is not r.e., was proved by Pratt (1976). Theorem 13.6 follows from Harel and Kozen (1984).
MIT Press Math7X9/2000/06/30:10:36 Page 325
Complexity
325
The name \spectral complexity" was proposed by Tiuryn (1986), although the main ideas and many results concerning this notion were already present in Tiuryn and Urzyczyn (1983); the reader may consult Tiuryn and Urzyczyn (1988) for the full version. This notion is an instance of the so-called secondorder spectrum of a formula. First-order spectra were investigated by Sholz (1952), from which originates the well known Spectralproblem. The reader can nd more about this problem and related results in the survey paper by Borger (1984). Proposition 13.7 and the notion of a natural chain is from Urzyczyn (1983a). The results of Section 13.2 are from Tiuryn and Urzyczyn (1983, 1988); see the latter for the complete version. A result similar to Theorem 13.12 in the area of nite model theory was obtained by Sazonov (1980) and independently by Gurevich (1983). Higher-order stacks were introduced in Engelfriet (1983) to study complexity classes. Higher-order arrays and stacks in DL were considered by Tiuryn (1986), where a strict hierarchy within the class of elementary recursive sets was established. The main tool used in the proof of the strictness of this hierarchy is a generalization of Cook's auxiliary pushdown automata theorem for higher-order stacks, which is due to Kowalczyk et al. (1987).
Exercises 13.1. Prove Theorem 13.4 for termination or total correctness formulas of the form ! <>'. 13.2. Prove Theorem 13.5 for partial correctness assertions of the form ! []'. 13.3. Prove Theorem 13.2 for DL(dreg). 13.4. Prove Theorem 13.5 for DL(dreg). 13.5. Show that for every structure A, the image CA (N ) is the substructure of A generated by the empty set; that is, the least substructure of A. 13.6. Write a recursive procedure that computes the successor function with respect to the natural chain in Aw (see Proposition 13.7). 13.7. Show that if a vocabulary contains no function symbols of positive arity, then DL(r.e.) reduces to rst-order logic over all structures.
MIT Press Math7X9/2000/06/30:10:36 Page 326
326
Chapter 13
13.8. Show that for a rich vocabulary and a given n > 0, there are exponentially many (in n) pairwise nonisomorphic -structures A such that #A = n and A is generated by the empty set. 13.9. Show that for a poor vocabulary and for a given n > 0, there are polynomially many (in n) pairwise nonisomorphic -structures A such that #A = n and A is generated by the empty set. 13.10. Let be a rich vocabulary. Show that for every A 2 Sn , the length of pAq is polynomial in n. 13.11. Show that for every rich vocabulary and m 0, the language Hm is in LOGSPACE . 13.12. (Tiuryn (1986)) Show that if the vocabulary is rich, then the spectra of deterministic/nondeterministic regular programs with an algebraic stack and arrays capture EXPTIME . 13.13. Let be a poor vocabulary. Give an encoding ppAqq 2 f0; 1g of nite structures A 2 Sn such that the length of ppAqq is O(log n). 13.14. Let be a poor vocabulary. Rede ne the notion of a spectrum following the encoding of structures for poor vocabularies, and show that the complexity classes thus captured by spectra become exponentially higher. For example: spectra of deterministic regular programs capture DSPACE (n); spectra of nondeterministic regular programs capture NSPACE (n); spectra of regular programs with an algebraic stack capture DTIME (2O(n) ); spectra of regular programs with arrays capture DSPACE (2O(n) ) (see Tiuryn and Urzyczyn (1988)).
MIT Press Math7X9/2000/06/30:10:36 Page 327
14 Axiomatization This chapter deals with axiomatizing rst-order Dynamic Logic. We divide our treatment along the same lines taken in Chapters 12 and 13, dealing with the uninterpreted and interpreted cases separately. We must remember, though, that in both cases the relevant validity problems are highly undecidable, something we will have to nd a way around.
14.1 The Uninterpreted Level Recall from Section 13.1 that validity in DL is 11 -complete, but only r.e. when restricted to simple termination assertions. This means that termination (or total correctness when the programs are deterministic) can be fully axiomatized in the standard sense. This we do rst, and we then turn to the problem of axiomatizing full DL.
Completeness for Termination Assertions
Although the reader may feel happy with Theorem 13.4, it should be stressed that only very simple computations are captured by valid termination assertions: Let ' ! <> be a valid formula of DL, where ' and are rst-order and contains rst-order tests only. There exists a constant k 0 such that for every structure A and state u, if A; u ', there is a computation sequence 2 CS () of length at most k such that A; u <> . Proposition 14.1:
Proof The proof is left as an exercise (Exercise 14.1). Nevertheless, since the validity problem for such termination assertions is r.e., it is of interest to nd a nicely-structured complete axiom system. We propose the following. Axiom System 14.2:
Axiom Schemes all instances of valid rst-order formulas; all instances of valid formulas of PDL; '[x=t] ! <x := t>'; where ' is a rst-order formula.
MIT Press Math7X9/2000/06/30:10:36 Page 328
328
Chapter 14
Inference Rules modus ponens: '; ' ! We denote provability in Axiom System 14.2 by `S1 . For every rst-order formula and for every sequence of atomic assignments and atomic tests, there is a rst-order formula such that Lemma 14.3:
$ <> :
Proof The proof is left as an exercise (Exercise 14.2).
For any DL formula of the form ' ! <> , for rst-order ' and and program containing rst-order tests only,
Theorem 14.4: ' ! <>
() `S1 ' ! <> :
Proof Soundness ((=) is obvious. The proof of completeness (=)) proceeds by induction on the structure of and makes heavy use of the compactness of rstorder logic. We present the case for ' ! < [ > . W By assumption, ' ! < [ > , therefore ' ! 2CS ( [ ) , where is the rst-order equivalent W to <> from Lemma 14.3. By the compactness of rst-order logic, ' ! 2C for some nite set of seqs C CS ( [ ) = CS ( ) [ CS ( ). This can be written '
_
! (
2C1
_
_
2C2
)
for some nite sets C1 CS ( ) and C2 CS ( ). Since the last formula is rstorder and valid, by the completeness of rst-order logic we have
_
`S1 ' ! (
2C1
_
_
2C2
):
(14.1.1)
W
However, W since C1 CS ( ) and C2 CS ( ), we have 2C1 ! < > and the inductive hypothesis to each yields `S1 2C2 ! < > . Applying W W ! < > and ` S1 2C2 ! < > . By (14.1.1) and propositional 2C1
MIT Press Math7X9/2000/06/30:10:36 Page 329
Axiomatization
329
reasoning, we obtain `S1 ' ! (< > _ < > ); which together with an instance of the PDL tautology < > _ < > ! < [ > yields `S1 ' ! < [ > . Remark 14.5: The result also holds if is allowed to involve tests that are
themselves formulas as de ned in the theorem.
In nitary Completeness for the General Case Given the high undecidability of validity in DL, we cannot hope for a complete axiom system in the usual sense. Nevertheless, we do want to provide an orderly axiomatization of valid DL formulas, even if this means that we have to give up the nitary nature of standard axiom systems. In this section, we present a complete in nitary axiomatization of DL that includes an inference rule with in nitely many premises. Before doing so, however, we must get a certain technical complication out of the way. We would like to be able to consider valid rst-order formulas as axiom schemes, but instantiated by general formulas of DL. In order to make formulas amenable to rst-order manipulation, we must be able to make sense of such notions as \a free occurrence of x in '" and the substitution '[x=t]. For example, we would like to be able to use the axiom scheme of the predicate calculus 8x ' ! '[x=t], even if ' contains programs. The problem arises because the dynamic nature of the semantics of DL may cause a single occurrence of a variable in a DL formula to act as both a free and bound occurrence. For example, in the formula <while x 99 do x := x + 1>1, the occurrence of x in the expression x + 1 acts as both a free occurrence (for the rst assignment) and as a bound occurrence (for subsequent assignments). There are several reasonable ways to deal with this, and we present one for de niteness. Without loss of generality, we assume that whenever required, all programs appear in the special form (14.1.2)
MIT Press Math7X9/2000/06/30:10:36 Page 330
330
Chapter 14
appearing nowhere in the relevant context outside of the program . The idea is to make programs act on the \local" variables zi by rst copying the values of the xi into the zi , thus freezing the xi , executing the program with the zi , and then restoring the xi . This form can be easily obtained from any DL formula by consistently changing all variables of any program to new ones and adding the appropriate assignments that copy and then restore the values. Clearly, the new formula is equivalent to the old. Given a DL formula in this form, the following are bound occurrences of variables: all occurrences of x in a subformula of the form 9x '; all occurrences of zi in a subformula of the form (14.1.2) (note, though, that zi does not occur in ' at all); all occurrences of xi in a subformula of the form (14.1.2) except for its occurrence in the assignment zi := xi . Every occurrence of a variable that is not bound is free. Our axiom system will have an axiom that enables free translation into the special form discussed, and in the sequel we assume that the special form is used whenever required (for example, in the assignment axiom scheme below). As an example, consider the formula: 8x (
Axiom Schemes all instances of valid rst-order formulas; all instances of valid formulas of PDL; <x := t>' $ '[x=t]; ' $ 'b, where 'b is ' in which some occurrence of a program has been replaced
MIT Press Math7X9/2000/06/30:10:36 Page 331
Axiomatization
331
by the program z := x; 0 ; x := z for z not appearing in ', and where 0 is with all occurrences of x replaced by z .
Inference Rules modus ponens: '; ' ! generalization: '
and 8'x' in nitary convergence: []'
' ! [n ] ; n 2 ! ' ! [ ]
Provability in Axiom System 14.6, denoted by `S2 , is the usual concept for systems with in nitary rules of inference; that is, deriving a formula using the in nitary rule requires in nitely many premises to have been previously derived. Axiom System 14.6 consists of an axiom for assignment, facilities for propositional reasoning about programs and rst-order reasoning with no programs (but with programs possibly appearing in instantiated rst-order formulas), and an in nitary rule for [ ]. The dual construct, < >, is taken care of by the \unfolding" validity of PDL: < >' $ (' _ <; >'): See Example 14.8 below. The main result here is: Theorem 14.7: '
For any formula ' of DL,
() `S2 ':
Proof sketch. Soundness is straightforward. Completeness can be proved by adapting any one of the many known completeness proofs for the classical in nitary logic, L!1! . Algebraic methods are used in Mirkowska (1971), whereas Harel (1984) uses Henkin's method. For de niteness, we sketch an adaptation of the proof given in Keisler (1971).
MIT Press Math7X9/2000/06/30:10:36 Page 332
332
Chapter 14
Take the set At of atoms to consist of all consistent nite sets of formulas possibly involving elements from among a countable set G of new constant symbols. By anVatom A being consistent, we mean that it is not the case that `S2 :Ab, where Ab = '2A '. It is now shown how to construct a model for any A 2 At. The result will then follow from the fact that for any consistent formula ', f'g 2 At. Given an atom A, we de ne its closure CL(A) to be the least set of formulas containing all formulas of A and their subformulas, exactly as is done for the FischerLadner closure FL(') in Section 6.1, but which is also closed under substitution of constants from G for arbitrary terms, and which contains c = d for each c; d 2 G. An in nite sequence of atoms A = A0 A1 A2 is now constructed. Given Ai 2 At, Ai+1 is constructed by considering 'i , the ith closed formula of CL(A) in some xed ordering, and checking whether Ai [ f'i g 2 At. If so, certain formulas are added to Ai to produce Ai+1 , depending on the form of 'i . A typical rule of this kind is the following. If 'i = < > , then we claim that there must be some n such that Abi _ <n > is consistent; then we take Ai+1 to be Ai [ f'i ; <n > ; ti = cg, where ti is the ith item in some xed enumeration of the basic terms over the current vocabulary, but with constants from G, and where c 2 G does not occur in Ai . To see that such an n exists, assume to the contrary that `S2 :(Abi ^ <n > ) for every n. Then `S2 Abi ! [n ]: for each n. By the in nitary convergence rule, `S2 Abi ! [ ] , which is `S2 :(Abi ^ < > ). But this contradicts the fact S that Ai [ f'i g 2 At. Now let A1 = i Ai and let bc = fd 2 G j (c = d) 2 A1 g. The structure A = (D; mA ) is obtained by taking the carrier to be D = fbc j c 2 Gg and for example setting mA (p)(bc1 ; : : : ; bck ) to be true i p(c1 ; : : : ; ck ) 2 A1 . A straightforward induction on the complexity of formulas shows that all formulas of A1 are true in A. Example 14.8:
formula:
x=y !
We use Axiom System 14.6 to prove the validity of the following
[(x := f (f (x))) ]<(y
:= f (y)) >x = y:
To that end, we show that for every n,
`S2 x = y ! [(x := f (f (x)))n ]<(y := f (y)) >x = y and then apply the in nitary convergence rule to obtain the result. Let n be xed.
MIT Press Math7X9/2000/06/30:10:36 Page 333
Axiomatization
333
We rst prove
`S2 x = y ! [x := f (f (x))][x := f (f (x))] : : : [x := f (f (x))]
:= f (y)>
(14.1.3)
with n occurrences of [x := f (f (x))] and 2n occurrences of of
'!
<>'
! <>
to obtain
'!
[]'
! []
`S2 x = y ! [x := f (f (x))] : : : [x := f (f (x))]<(y := f (y)) >x = y: Now n ; 1 applications of the PDL validity [][ ]' ! [; ]' yield the desired result.
14.2 The Interpreted Level Proving properties of real programs very often involves reasoning on the interpreted level, where one is interested in A-validity for a particular structure A. A typical proof might use induction on the length of the computation to establish an invariant for partial correctness or to exhibit a decreasing value in some well-founded set for termination. In each case, the problem is reduced to the problem of verifying some domain-dependent facts, sometimes called veri cation conditions . Mathematically speaking, this kind of activity is really an eective transformation of assertions about programs into ones about the underlying structure. In this section, we show how for DL this transformation can be guided by a direct induction on program structure using an axiom system that is complete relative to any given arithmetical structure A. The essential idea is to exploit the existence, for any given DL formula, of a rst-order equivalent in A, as guaranteed by Theorem
MIT Press Math7X9/2000/06/30:10:36 Page 334
334
Chapter 14
12.6. In the axiom systems we construct, instead of dealing with the 11 -hardness of the validity problem by an in nitary rule, we take all A-valid rst-order formulas as additional axioms. Relative to this set of axioms, proofs are nite and eective. In Section 14.2 we take advantage of the fact that for partial correctness assertions of the form ' ! [] with ' and rst-order and containing rst-order tests, it suces to show that DL reduces to the rst-order logic L!! , and there is no need for the natural numbers to be present. Thus, the system we present in Section 14.2 works for nite structures too. In Section 14.2, we present an arithmetically complete system for full DL that does make explicit use of natural numbers.
Relative Completeness for Correctness Assertions
It follows from Theorem 13.5 that for partial correctness formulas we cannot hope to obtain a completeness result similar to the one proved in Theorem 14.4 for termination formulas. A way around this diculty is to consider only expressive structures. A structure A for the rst-order vocabulary is said to be expressive for a programming language K if for every 2 K and for every rst-order formula ', there exists a rst-order formula L such that A L $ []'. Examples of structures that are expressive for most programming languages are nite structures and arithmetical structures. Consider the following axiom system: Axiom System 14.9:
Axiom Schemes all instances of valid formulas of PDL; <x := t>' $ '[x=t] for rst-order '. Inference Rules modus ponens: '; ' ! generalization: ' :
[]'
MIT Press Math7X9/2000/06/30:10:36 Page 335
Axiomatization
335
Note that Axiom System 14.9 is really the axiom system for PDL from Chapter 7 with the addition of the assignment axiom. Given a DL formula ' and a structure A, denote by A `S3 ' provability of ' in the system obtained from Axiom System 14.9 by adding the following set of axioms: all A-valid rst-order sentences. For every expressive structure A and for every formula of DL of the form ' ! [] , where ' and are rst-order and involves only rst-order tests, we have Theorem 14.10:
A
() A `S3 :
Proof Soundness is trivial. For completeness, one proceeds by induction on the structure of . We present the case for = . By the assumption, A ' ! [ ] . Consider the rst-order formula ([ ] )L , which exists by the expressiveness of A, and denote it by . Clearly, A ' ! and A ! . Since both these formulas are rst-order and are A-valid, they are axioms, so we have: A `S3 ' ! (14.2.1) A `S3 ! : (14.2.2) However, by the semantics of we also have A ! [ ], from which the inductive hypothesis yields A `S3 ! [ ]. Applying the generalization rule with [ ] and using modus ponens with the PDL induction axiom of Chapter 7 yields A `S3 ! [ ]. This together with (14.2.1), (14.2.2), and PDL manipulation yields A `S3 ' ! [ ] . Remark 14.11: The theorem holds also if is allowed to involve tests of the
form <>, where is rst-order and is constructed inductively in the same way.
Arithmetical Completeness for the General Case In this section we prove the completeness of an axiom system for full DL. It is similar in spirit to the system of the previous section in that it is complete relative to the formulas valid in the structure under consideration. However, this system works for arithmetical structures only. It is not tailored to deal with other expressive structures, notably nite ones, since it requires the use of the natural numbers. The kind of completeness result proved here is thus termed arithmetical.
MIT Press Math7X9/2000/06/30:10:36 Page 336
336
Chapter 14
As in Section 12.2, we will prove the results for the special structure N , omitting the technicalities needed to deal with general arithmetical structures, a task we leave to the exercises. The main dierence in the proofs is that in N we can use variables n, m, etc., knowing that their values will be natural numbers. We can thus write n + 1, for example, assuming the standard interpretation. When working in an unspeci ed arithmetical structure, we have to precede such usage with appropriate predicates that guarantee that we are indeed talking about that part of the domain that is isomorphic to the natural numbers. For example, we would often have to use the rst-order formula, call it nat(n), which is true precisely for the elements representing natural numbers, and which exists by the de nition of an arithmetical structure. Consider the following axiom system: Axiom System 14.12:
Axiom Schemes all instances of valid rst-order formulas; all instances of valid formulas of PDL; <x := t>' $ '[x=t] for rst-order '. Inference Rules modus ponens: '; ' ! generalization: '
and 8'x' convergence: '(n + 1) ! <>'(n) '(n) ! < >'(0) for rst order ' and variable n not appearing in . []'
Remark 14.13: For general arithmetical structures, the +1 and 0 in the rule of
convergence denote suitable rst-order de nitions.
MIT Press Math7X9/2000/06/30:10:36 Page 337
Axiomatization
337
As in Axioms System 14.9, denote by A `S4 ' provability of ' in the system obtained from Axiom System 14.12 by adding all A-valid rst-order sentences as axioms. Interestingly, the in nitary system 14.6 and the arithmetical system 14.12 deal with in dual ways. Here we have the arithmetical convergence rule for < >, and [ ] is dealt with by the PDL induction axiom, whereas in 14.6 we have the in nitary rule for [ ], and < > is dealt with by the PDL unfolding axiom. Before we address arithmetical completeness, we prove a slightly more speci c version of the expressiveness result of Theorem 12.6. Again, we state it for N , but an appropriately generalized version of it holds for any arithmetical structure. For any DL formula ' and program , there is a rst-order formula (n) with a free variable n such that for any state u in the structure N , we have Lemma 14.14:
N ; u (n) () N ; u <u(n) >': (Recall that u(n) is the value of variable n in state u.) Proof The result is obtained as in the proof of Theorem 12.6 in the following way: (n) will be constructed just as (<>')L in that proof. Instead of taking ' (y) which de nes the set fpq j 2 CS ()g, we take a formula ' (n; y) de ning the r.e. set
f(n; p1 n q) 2 N 2 j 1 ; : : : ; n 2 CS ()g: The rest of the proof is as in Theorem 12.6. We rst show that Axiom System 14.12 is arithmetically complete for rst-order termination assertions. Theorem 14.15: For every formula of DL of the form ' ! <> , for rst-order
formulas ' and and program involving only rst-order tests,
N () N `S4 : Proof Soundness is trivial. For completeness, we proceed by induction on the structure of . As in Theorem 14.10, we present the case for = . By assumption, N ' ! < > . Consider the rst-order formula (n) of Lemma 14.14 for and . Clearly N ' ! 9n (n) for n not appearing in ',
MIT Press Math7X9/2000/06/30:10:36 Page 338
338
Chapter 14
or , and N (0) ! . Hence, these being rst-order, we have
N `S4 ' ! 9n (n); N `S4 (0) ! : However, from the meaning of (n), we also have N (n + 1) ! < >(n). By the inductive hypothesis, we obtain N `S4 (n + 1) ! < >(n). The convergence rule now yields N `S4 (n) ! < >(0). Applying the generalization rule with 8n and using rst-order manipulation, we obtain N `S4 9n (n) ! < >(0), which together with the two formulas above gives the result. The main result here is the following, which holds for any arithmetical structure (see Exercise 14.6): Theorem 14.16:
For every formula of DL,
N () N `S4 : Proof Soundness is obvious. For completeness, let N . De ne k to be the sum of the number of programs in and the number of quanti ers pre xing non- rstorder formulas in . (Of course, we also count those quanti ers and programs that appear within tests.) We proceed by induction on k . If k = 0, must be rst-order, so that N `S4 . For k > 0, we can assume that is in conjunctive normal form and then deal with each conjunct separately. Without loss of generality (see Exercise 14.7), it suces to deal with formulas of the form ' ! op , where op 2 f8x; 9x; <>; []g for some x or , and where op is not rst-order. This way, we have k' , k < k . Now consider the rst-order formulas 'L and L , which exist by the expressiveness of N . Clearly, since N ' ! op , we also have N 'L ! op L . We now claim that this implication is in fact provable:
N `S4 'L ! op L : (14.2.3) For op 2 f8x; 9xg, the claim is trivial, since the formula is rst-order. For the cases [] and <>, the proof proceeds by induction on exactly as in the proofs of Theorems 14.10 and 14.15, respectively. The only dierence is that the main inductive hypothesis of the present proof is employed in dealing with non- rstorder tests. Now, from N ' ! 'L and N L ! , we deduce N `S4 ' ! 'L and N `S4 L ! by the inductive hypothesis, since k' , k < k . These combine with
MIT Press Math7X9/2000/06/30:10:36 Page 339
Axiomatization
339
(14.2.3) and some PDL and rst-order manipulation to yield N `S4 ' ! op , as desired. The use of the natural numbers as a device for counting down to 0 in the convergence rule of Axiom System 14.12 can be relaxed. In fact, any well-founded set suitably expressible in any given arithmetical structure suces. Also, it is not necessary to require that an execution of causes the truth of the parameterized '(n) in that rule to decrease exactly by 1; it suces that the decrease is positive at each iteration. Example 14.17:
Consider the following program for computing vw for natural
numbers v and w. (z; x; y) := (1; v; w); while y > 0 do if even (y) then (x; y) := (x2 ; y=2) else (z; y) := (zx; y ; 1) We shall prove using Axiom System 14.12 that this program terminates and correctly computes vw in z . Speci cally, we show N `S4 (z = 1 ^ x = v ^ y = w) ! <(((y > 0 ^ even(y))?; x := x2 ; y := y=2) [ (odd(y)?; z := z x; y := y ; 1))> (y = 0 ^ z = vw ): Consider the formula above as ' ! <( [ ) > . We construct a rst-order formula (n), for which we show (i) N `S4 ' ! 9n (n) (ii) N `S4 (0) ! (iii) N `S4 (n + 1) ! < [ >(n). Application of the convergence rule to (iii) and further manipulation yields the result. Let (n) def = zxy = vw ^ n = blog2 yc + 1bin(y): Here 1bin(y) is the function yielding the number of 1's in the binary representation of y. Clearly, 1bin(y), even(y), odd(y) and blog2 yc are all computable, hence they
MIT Press Math7X9/2000/06/30:10:36 Page 340
340
Chapter 14
are rst-order de nable in N . We consider their appearance in (n) as abbreviations. Also, consider y := y=2 as an abbreviation for the obvious equivalent program over N , which need be de ned only for even y. To prove (i) and (iii), all we need to show is that the formulas therein are N valid, since they are rst-order and will thus be axioms. For example, (0) ! is (zxy = vw ^ 0 = blog2 yc + 1bin(y)) ! (y = 0 ^ z = vw ); which is clearly N -valid, since 1bin(y) = 0 implies y = 0, which in turn implies zxy = z . To prove (iii), we show N `S4 ((n + 1) ^ y > 0 ^ even(y)) ! <>(n) (14.2.4) and N `S4 ((n + 1) ^ odd(y)) ! < >(n): (14.2.5) PDL and rst-order reasoning will then yield the desired (iii). Indeed, (14.2.4) is obtained by applying the assignment axiom and the PDL axiom for tests to the following formula: (zxy = vw ^ n + 1 = blog2 yc + 1bin(y) ^ y > 0 ^ even(y)) ! (y > 0 ^ even(y) ^ z = (x2 )y=2 = vw ^ n = blog2 (y=2)c + 1bin(y=2)): This formula is N -valid (and hence an axiom), since for any even y, 1bin(y) = 1bin(y=2) and blog2 (y)c = 1 + blog2 (y=2)c. Similarly, (14.2.5) is obtained from the formula: (zxy = vw ^ n + 1 = blog2 yc + 1bin(y) ^ odd(y)) ! (odd(y) ^ zxxy;1 = vw ^ n = blog2 (y ; 1)c + 1bin(y ; 1)): This formula is also N -valid, since for odd y, 1bin(y) = 1 + 1bin(y ; 1) and blog2 yc = blog2 (y ; 1)c. Note that the proof would have been easier if the truth of (n) were allowed to \decrease" by more than 1 each time around the loop. In such a case, and with a more liberal rule of convergence (see Exercise 14.8), we would not have had to be so pedantic about nding the exact quantity that decreases by 1. In fact, we could have taken (n) to be simply zxy = vw ^ n = y. The example was chosen in its present form to illustrate the fact (which follows from the completeness result) that in principle the strict convergence rule can always be used.
MIT Press Math7X9/2000/06/30:10:36 Page 341
Axiomatization
341
In closing, we note that appropriately restricted versions of all axiom systems of this chapter are complete for DL(dreg). In particular, as pointed out in Section 5.7, the Hoare while-rule
' ^ ! []' ' ! [while do ](' ^ : )
results from combining the generalization rule with the induction and test axioms of PDL, when is restricted to appear only in the context of a while statement; that is, only in the form ( ?; p) ; (: )?.
14.3 Bibliographical Notes Completeness for termination assertions (Theorem 14.4) is from Meyer and Halpern (1982). In nitary completeness for DL (Theorem 14.7) is based upon a similar result for Algorithmic Logic (see Section 16.1) by Mirkowska (1971). The proof sketch presented here is an adaptation of Henkin's proof for L!1 ! appearing in Keisler (1971). The notion of relative completeness and Theorem 14.10 are due to Cook (1978). The notion of arithmetical completeness and Theorems 14.15 and 14.16 are from Harel (1979). The use of invariants to prove partial correctness and of well-founded sets to prove termination are due to Floyd (1967). An excellent survey of such methods and the corresponding completeness results appears in Apt (1981). Some contrasting negative results are contained in Clarke (1979), Lipton (1977), and Wand (1978).
Exercises 14.1. Prove Proposition 14.1. 14.2. Prove Lemma 14.3. 14.3. Complete the proof of Theorem 14.4. 14.4. Show that every nite structure is expressive for the regular programs of DL. 14.5. Complete the proof of Theorem 14.10.
MIT Press Math7X9/2000/06/30:10:36 Page 342
342
Chapter 14
14.6. Phrase and prove Theorems 14.15 and 14.16 for general arithmetical structures. 14.7. Justify the special form of formulas that is used in the proof of Theorem 14.16. 14.8. Formulate a more liberal rule of convergence as in the discussion following Theorem 14.16. Prove that if the convergence rule of Axiom System 14.12 is replaced with the new one, the resulting system is arithmetically complete. 14.9. Extend Axiom Systems 14.6 and 14.12 to handle array assignments, and prove the in nitary and arithmetical completeness, respectively, of the resulting systems.
MIT Press Math7X9/2000/06/30:10:36 Page 343
15 Expressive Power
The subject of study in this chapter is the relative expressive power of languages. We will be primarily interested in comparing, on the uninterpreted level, the expressive power of various versions of DL. That is, for programming languages P1 and P2 we will study whether DL(P1 ) DL(P2 ) holds. Recall from Chapter 12 (Section 12.1) that the latter relation means that for each formula ' in DL(P1 ), there is a formula in DL(P2 ) such that A; u ' $ for all structures A and initial states u. Before describing the contents of this chapter, we pause to make two comments. The rst is that by studying the expressive power of logics, rather than the computational power of programs, we are able to compare, for example, deterministic and nondeterministic programming languages. More on this will appear in Section 15.2. The second comment is that the answer to the fundamental question \DL(P1 ) DL(P2 )?" may depend crucially on the vocabulary over which we consider logics and programs. Indeed, as we will see later, the answer may change from \yes" to \no" as we move from one vocabulary to another. For this reason we always make clear in the theorems of this chapter our assumptions on the vocabulary. Section 15.1 introduces the very useful concept of the unwinding of a program. Some basic properties of this notion are proved there. Section 15.2 establishes the fundamental connection between spectra of formulas (i.e. codes of nite interpretations in which a given formula holds) and the relative expressive power of logics of programs. This section also makes some connections with computational complexity theory. Section 15.3 studies the important question of the role nondeterminism plays in the expressive power of logic. We discuss separately the case of regular programs (Section 15.3) and regular programs with a Boolean stack (Section 15.3). The more powerful programs are discussed in Section 15.3. In Section 15.4 we study the question of the impact on the expressive power of bounded vs. unbounded memory. We discuss separately the cases of a polyadic vocabulary (Section 15.4) and a monadic vocabulary (Section 15.4). The power of a Boolean stack vs. an algebraic stack and vs. pure regular programs is discussed in Section 15.5. Finally, in Section 15.6 we discuss some of the aspects of adding wildcard assignment to other programming constructs. For now, we adopt a very liberal notion of a program. Let be a nite vocabulary. All we assume about the programming language is that for every program we have a set CS () of seqs that describe the semantics of in all structures of the same signature. Hence, for every -structure A we have a binary
MIT Press Math7X9/2000/06/30:10:36 Page 344
344
Chapter 15
input/output relation mA () S A S A de ned by the equation mA () =
[
fmA() j 2 CS ()g:
We assume that with each program 2 K there is associated a nite set of individual variables FV () V that occur in . The property that we need is that for all u; v 2 S A , if (u; v) 2 mA () then u(x) = v(x) for all x 2 V ; FV (); that is, does not change the values of individual variables that are not in FV ().
15.1 The Unwind Property We present a powerful technique that can be sometimes used to establish that one logic is strictly less expressive than another. This technique is based on the notion of the unwind property. We say that unwinds in a structure A if there exists m 2 N and seqs 1 ; : : : ; m 2 CS () such that mA () = mA (1 ) [ [ mA (m ):
The next result says that the unwind property is invariant under elementary equivalence of structures. The unwind property is invariant under elementary equivalence of structures. That is, for every program and for all structures A and B that are elementarily equivalent, Proposition 15.1:
mA () = mA (1 ) [ [ mA (m ) =) mB() = mB (1 ) [ [ mB (m );
where 1 ; : : : ; m 2 CS (). Proof Assume that unwinds in A; that is, there are m 2 N and 1 ; : : : ; m 2 CS () such that mA () = mA (1 ) [ [ mA (m ):
(15.1.1)
For each i 2 N , let 'i be a rst-order formula describing the input-output relation of i ; that is, if x1 ; : : : ; xn are all registers of and y1 ; : : : ; yn are new variables, then
j= 'i $ <i >(x1 = y1 ^ ^ xn = yn ): By Lemma 14.3, we know that there exists such a formula.
MIT Press Math7X9/2000/06/30:10:36 Page 345
Expressive Power
345
It follows from (15.1.1) that for all i 2 N , the formula
8x1 : : : 8xn 8y1 : : : 8yn ('i ! ('1 _ _ 'n )) holds in A. Thus, it holds in B as well, therefore mB ()
mB (1 ) [ [ mB (m ):
Since the opposite inclusion always holds, it follows that unwinds in B. If ' is a DL formula over a programming language P and A is a structure such that all programs that occur in ' unwind in A, then there is a rst-order formula ' such that Lemma 15.2:
Th A j= ' $ ': Proof The proof is by induction on '. The only non-trivial step is when ' is []'0 . If the program unwinds in A, then for some m 2 N and for some 1 ; : : : ; m 2 CS (), the programs and 1 [ [ m are equivalent in A, and by Proposition 15.1 they are equivalent in all models of Th(A). By Lemma 14.3, there is a rst-order formula that in all models describes the input-output relation of 1 [ [ m ; that is,
j=
$ <1 [ [ m >(x1 = y1 ^ ^ xn = yn );
where x1 ; : : : ; xn are all the registers of and y1 ; : : : ; yn are fresh variables. By the inductive hypothesis, there is a rst-order formula '0 such that
Th A j= '0 $ '0: Assuming that y1 ; : : : ; yn do not occur free in '0 , we have
Th A j= []'0 $ 8y1 : : : 8yn (
! '0 [x1 =y1 ; : : : ; xn =yn]);
which completes the proof. Lemma 15.2 gives a useful method for showing that some programs do not unwind. We illustrate it with the program Next0 of Proposition 13.7. Proposition 15.3: If A is an in nite structure without proper substructures, then Next0 does not unwind in A.
MIT Press Math7X9/2000/06/30:10:36 Page 346
346
Chapter 15
Proof Observe that the formula
8x0 8x1
Th A j= ' $ 8x08x1
Proof Let CS () = fi j i 0g. Let FV () = fx1 ; : : : ; xn g be all the input registers of . Let y1 ; : : : ; yn be new variables. We prove that the formula
=
<>(x1
= y1 ^ ^ xn = yn )
is equivalent to no formula of DL(P2 ). Indeed, assume that is equivalent to a formula ' of DL(P2 ). Let 1 ; : : : ; m be all the programs occurring in ', and take a structure A in which each i unwinds and does not. The latter property means that the set
f g [ f:<0 [ [ k >(x1 = y1 ^ ^ xn = yn ) j k 0g is nitely satis able in A. For k 0, let k be a rst-order formula that is equivalent to
:<0 [ [ k >(x1 = y1 ^ ^ xn = yn ) in all models (see Lemma 14.3). By Lemma 15.2, there is a rst-order formula ' that is equivalent to ' over all
MIT Press Math7X9/2000/06/30:10:36 Page 347
Expressive Power
347
structures elementarily equivalent to A; that is, Th A j= ' $ ': Since ' is equivalent to , it follows that the set Th A [ f'g [ f k j k 0g is nitely satis able. By the compactness property for predicate logic (Theorem 3.57), it has a model B. This model is such that ' holds but does not. This contradiction completes the proof.
15.2 Spectra and Expressive Power The goal of the present section is to relate the question of comparing the expressive power of Dynamic Logic over various programming languages to the complexity of spectra of the corresponding programming languages. As we will see later, for suciently powerful programming languages, the only way to distinguish between the corresponding logics is by investigating the behavior of the programs over nite interpretations. An important notion often studied in the area of comparative schematology is that of translatability of one programming language into another. Let K1 and K2 be programming languages. We say that a program 2 K2 simulates a program 2 K1 if for every -structure A the following holds: f(u; v FV ()) j (u; v) 2 mA (); u is initialg = f(u; v FV ()) j (u; v) 2 mA ( ); u is initialg: The reason for restricting v in the above formula to FV () is to allow to use auxiliary variables and perhaps some other data types. We say that a program 2 K1 is translatable into K2 , if there exists 2 K2 that simulates . Finally, K1 is translatable into K2, denoted K1 K2 , if every program of K1 is translatable into K2 . A programming language K is said to be admissible if: (i) it is translatable into the class of r.e. programs; (ii) all atomic regular programs and all tests are translatable into K ; (iii) K is semantically closed under composition, if-then-else and while-do; e.g., closure under composition means that if ; 2 K , then there is 2 K such that for every A, mA ( ) = mA () mA ( ), and similarly for the other constructs.
MIT Press Math7X9/2000/06/30:10:36 Page 348
348
Chapter 15
Thus, if K is admissible, we will treat it as being syntactically closed under the above constructs. This will allow us to write expressions like if ' then else , where ' is a quanti er free formula and ; 2 K . Such expressions, even though they do not necessarily belong to K , are semantically equivalent to programs in K . This convention will simplify notation and should never lead to confusion. The relation of translatability can be further weakened if all we care about is the expressive power of the logic. For example, as we will see later, there are programming languages K1 and K2 such that DL(K1 ) DL(K2 ) holds, even though K1 contains nondeterministic programs and K2 contains only deterministic programs, so that K1 K2 is impossible. It follows from the next result that all that really matters for the expressive power of the relevant logic are the termination properties of programs in the programming language. Proposition 15.5: Let K be admissible. For every formula ' of DL(K ) there is a formula '0 of DL(K ) that is equivalent in all interpretations to ' and such that for every program that occurs in '0 , if occurs in the context [] , then = 0.
Proof If occurs in ' in the context [] with 6= 0, then we replace [] with
8y1 : : : 8ym (:[; (x1 = y1 ^ ^ xm = ym )?]0 ! [x1 =y1; : : : ; xm =ym]); where x1 ; : : : ; xm are all variables that occur freely in and y1 ; : : : ; ym are fresh variables that occur neither in nor in . Since K is admissible, it follows that ; (x1 = y1 ^ ^ xm = ym )? belongs to K . After a nite number of steps we transform ' into the desired formula '0 . The above comments motivate the following de nition. K2 is said to terminationsubsume K1 , denoted K1 T K2 , if for every 2 K1 there is 2 K2 such that for every -structure A and for every state u 2 S A , we have A; u <>1
() A; u < >1:
Notice that the above is equivalent to A; u []0
() A; u [ ]0:
Proposition 15.6:
Let K1 and K2 be admissible programming languages.
(i) If K1 K2 , then K1 T K2 . (ii) If K1 T K2 , then DL(K1 ) DL(K2 ).
MIT Press Math7X9/2000/06/30:10:36 Page 349
Expressive Power
349
Proof The rst part is immediate. The second follows immediately from Proposition 15.5. An admissible programming language K is said to be semi-universal if for every m > 0, the program Nextm of Proposition 13.7 is translatable into K . Examples of semi-universal programming languages include r.e. programs, regular programs with an algebraic stack, and regular programs with arrays. A corollary of the following result is that the expressive power of DL over a semi-universal programming language can be determined by investigating nite interpretations only. Recall that a state u is Herbrand-like (see the beginning of Section 13.2) if the values assigned by u to the individual variables (there are nitely many of them) generate the structure.
If K is semi-universal, then for every r.e. program there is 2 K such that and have the same termination properties over all in nite interpretations; that is, for every in nite -structure A and for every Herbrand-like state u in A, Proposition 15.7:
A; u <>1
() A; u < >1:
Proof sketch. We sketch the proof, leaving the details to the reader. Let be an arbitrary r.e. program and let FV () fx0 ; : : : ; xm g. Clearly, the termination of in any interpretation depends only on the values of variables in FV () and on the substructure generated by these values. Thus, we can assume that the state u in the conclusion of the proposition is an Herbrand-like m-state. Let us start by observing that using Nextm and working in an in nite interpretation gives us counters, with a successor function that corresponds to the particular order in which all elements of the substructure generated by the input occur in the natural chain. Zero is represented here as the rst element of the natural chain; testing for zero and testing the equality of counters can be done easily. The control structure of a deterministic regular program with these counters is strong enough to compute every partial recursive function. Now, we can use counters to simulate the Turing machine that computes CS () = fn j n 2 Ng. The regular program that will simulate searches through all seqs n starting with 0 , trying to nd the rst one that terminates. It halts as soon as it nds one such n . In order to simulate the computation of n , has to be able to compute the value of any term t with variables in fx0 ; : : : ; xm g. This can be done as follows. Given t, the program computes the value of t with respect to the actual values
MIT Press Math7X9/2000/06/30:10:36 Page 350
350
Chapter 15
stored in x0 ; : : : ; xm by rst computing the values for subterms of t of depth 1, then of depth 2, etc. Of course, in order to do this, has to store the intermediate values. For this we use the power of counters and the program Nextm . Using counters, can encode arbitrary nite sequences of natural numbers. Using Nextm gives a natural encoding of all the elements of the substructure generated by the input. Now, it should be clear that being able to compute the value of any term with variables in fx0 ; : : : ; xm g, the program can perform the computation of every n . Since K is admissible, it follows that the program described above is equivalent to a program in K . An admissible programming language K is divergence-closed if for every 2 K there exists 2 K and two variables x; y 2 V such that for every nite Herbrandlike interpretation (A; u) with A having at least two elements, A; u <>1 A; u []0
() A; u < >(x = y); () A; u < >(x 6= y):
Informally, decides without diverging whether possibly terminates. If K is divergence-closed, then for every 2 K there exists 2 K such that for every nite Herbrand-like interpretation (A; u) with A having at least two elements, we have both Lemma 15.8:
A; u <>1 A; u []0
() A; u [ ]0 () A; u < >1:
Proof Take as the program ; (x 6= y)?, where is a program that corresponds to by the de nition of K being divergence-closed. Since K is admissible, it follows that (semantically) belongs to K .
We now list some languages that are semi-universal and divergence-closed. In some cases this depends on the vocabulary . Proposition 15.9:
and divergence-closed:
The following programming languages are semi-universal
(i) For every containing at least one function symbol of arity at least two, or at least two unary function symbols: (deterministic/nondeterministic) regular programs with algebraic stack;
MIT Press Math7X9/2000/06/30:10:36 Page 351
Expressive Power
351
(deterministic/nondeterministic) regular programs with arrays.
(ii) For every mono-unary : deterministic regular programs; deterministic regular programs with a Boolean stack.
Proof sketch. First, we sketch the proof of (i). In the proof of Theorem 13.12 there is a sketch of a mutual simulation between Cook's log n-APDA's and deterministic regular programs with an algebraic stack. It follows from the proof of Cook's theorem (see Chapter 14 of Hopcroft and Ullman (1979)) that we can assume without loss of generality that deterministic log n-APDA's halt for every input. Since the simulation of a deterministic log n-APDA by a deterministic regular program with algebraic stack is step by step, it follows that can nd out in a nite number of steps whether the log n-APDA accepts or rejects the input. Then halts, assigning the same value to the special variables x and y if the input is accepted, and assigning two dierent values to x and y otherwise. The same remarks hold for nondeterministic regular programs with an algebraic stack. The same argument applies to regular programs with arrays. Here the mutual simulation is with polynomial-space bounded Turing machines, and without loss of generality we may assume that these Turing machines halt for every input. This proves (i). For part (ii), we use an argument similar to the one used above, except that now we work with log-space bounded Turing machines (see Theorem 13.11). This proves the result for deterministic regular programs. The second part of (ii) follows immediately from (i) and from the fact that over a mono-unary vocabulary regular programs with a Boolean stack are computationally equivalent to regular programs with an algebraic stack (Exercise 15.10). It is not known whether the class of all regular programs is divergence-closed for vocabularies richer than mono-unary. It turns out that for semi-universal and divergence-closed programming languages, the DL theory of nite interpretations reduces to termination properties.
If K is semi-universal and divergence-closed, then for every formula ' of DL(K ) there exists a program ' 2 K such that for every nite structure A, for every m 0, and for every Herbrand-like m-state w in A, we have Proposition 15.10:
A; w '
$ <' >1:
MIT Press Math7X9/2000/06/30:10:36 Page 352
352
Chapter 15
Proof Let us x m 0. We rst prove the conclusion of the proposition by induction on ', assuming that A has at least two elements. For the case when ' is of the form '1 ! '2 , we use the divergence tests for the programs obtained by the induction hypothesis. For the case when ' is of the form 8z '1 , in addition to using the divergence test for the program corresponding to '1 , we have to use Nextm to search A; that is, the structure generated by the input. Finally, for the case when ' is of the form [] , we nd by the inductive hypothesis such < >1 and are equivalent over all nite Herbrand-like interpretations. For , we nd such that < >1 and [ ] 0 are equivalent over all nite Herbrand-like interpretations with at least two elements (we apply Lemma 15.8 here). Thus, it follows that ' and [; ]0 are equivalent over all nite Herbrand-like interpretations with at least two elements. Applying Lemma 15.8 again to the program ; yields the desired ' . In order to extend the result to one element structures, we have to perform a test to see whether the structure is indeed of one element only. For this, denote by the conjunction of the following formulas:
xi = xj , for 0 i; j m, f (x0 ; : : : ; x0 ) = x0 , where f ranges over all function symbols of . The next observation we need for the case of one element structures is that there are at most 2k dierent isomorphism types of such structures, where k is the number of relation symbols in the vocabulary. Each such structure is uniquely determined by a conjunction of formulas of the form r(x0 ; : : : ; x0 ) or :r(x0 ; : : : ; x0 ), where r ranges over all relation symbols of . Now, given ', let 1 ; : : : ; n be all the formulas that describe the one element structures in which ' holds. Let 0 be the program found for ' in the rst part of the proof; that is, the one that works correctly in structures containing at least two dierent elements. The program we are looking for is:
if
then if 1 _ _ n then skip else fail else 0
This completes the proof. Observe that the above proof does not give an eective construction of the program from '. The reason is that in general there is no eective procedure to
MIT Press Math7X9/2000/06/30:10:36 Page 353
Expressive Power
353
determine whether a given formula of DL(K ) holds in a one-element structure. For example, for an r.e. program , it is undecidable whether terminates in a given one-element interpretation. We are now ready to present the main result of this section. It relates complexity classes and spectra to the expressive power of Dynamic Logic. This result proves to be a strong tool for establishing relative expressive power of several logics of programs. We will use it in a number of places in the present chapter. Let be a rich vocabulary. Let K1 and K2 be programming languages over such that K1 is acceptable and K2 is semi-universal and divergence-closed. Let C1 ; C2 2f0;1g denote families of sets that are downward closed under logarithmic space reductions. Let SP (Ki ) Ci for i = 1; 2. The following statements are equivalent: (i) DL(K1 ) DL(K2 ); (ii) SP m (K1 ) SP m (K2 ) for all m 0; (iii) C1 C2 ; (iv) K1 T K2 . Theorem 15.11 (Spectral Theorem):
Proof For the implication (i) =) (ii), consider any m 0 and any 2 K1 . It follows from (i) that there exists a formula ' of DL(K2 ) such that <>1 and ' are equivalent in all interpretations. By Proposition 15.10, there is a 2 K2 such that A; w
1$'
< >
holds for every nite -stucture A and every Herbrand-like m-state w. Thus SP () = SP ( ), which proves (ii). Now for (ii) =) (iii). Consider any X 2 C1 . By Lemma 13.10, there is a language Y H0L such that (15.2.1) X log Y log X: Hence Y 2 C1 , and since SP (K1 ) captures C1 , it follows that there exists 2 K1 such that Y = SP0 (). By (ii), there is 2 K2 such that SP0 () = SP0 ( ), therefore Y 2 C2 . Since C2 is downward closed under log-space reductions, it follows from (15.2.1) that X 2 C2 . This proves (iii). For the proof of (iii) =) (iv), consider any 2 K1 . We describe a program 2 K2 such that for all -structures A and states w, we have A; w <>1
() A; w < >1:
MIT Press Math7X9/2000/06/30:10:36 Page 354
354
Chapter 15
Let FV () fx0 ; : : : ; xm g and let 2 K2 be such that SPm () = SPm ( ). Since K1 is admissible, it follows that there is an r.e. program 0 that is equivalent to in all interpretations. Let 0 2 K2 be the program of Proposition 15.7, which has the same termination properties as 0 in all in nite interpretations. In the rst phase of the simulation of by , the latter runs 0 to nd out whether 0 , and therefore , has terminated. The simulation is performed under the assumption that the substructure A0 of A generated by fw(x0 ); : : : ; w(xm )g is in nite. Either the simulation succeeds with terminating, in which case terminates too, or else 0 discovers that A0 is nite. The niteness of A0 is discovered by nding out that the value of xm+1 returned by Nextm equals the previous value of xm+1 . Having discovered this, aborts the simulation and runs the program on the restored initial valuation of x0 ; : : : ; xm . If uses any variable xn with n > m, then prior to running , resets its value by the assignment xn := xm . Since A0 is nite, terminates i terminates. This proves K1 T K2. The implication (iv) =) (i) is just Proposition 15.6. We conclude this section with an example of how the Spectral Theorem can be applied. We will see more applications of this theorem later in the book. Theorem 15.12:
Let be a rich vocabulary. Then
(i) DL(stk) DL(array). (ii) DL(stk) DL(array) i P = PSPACE . Moreover, the same holds for deterministic regular programs with an algebraic stack and deterministic regular programs with arrays. Proof The result follows immediately from Theorem 15.11, Proposition 15.9, Theorem 13.12, and Theorem 13.13.
A similar result can be proved for poor vocabularies. The complexity classes change, though. This is treated in the exercises (Exercise 15.12). We remark that part (i) of Theorem 15.12 can be proved directly by showing that (deterministic) regular programs with an algebraic stack are translatable into (deterministic) regular programs with arrays.
MIT Press Math7X9/2000/06/30:10:36 Page 355
Expressive Power
355
15.3 Bounded Nondeterminism In this section we investigate the role that nondeterminism plays in the expressive power of logics of programs. As we shall see, the general conclusion is that for a programming language of sucient computational power, nondeterminism does not increase the expressive power of the logic.
Regular Programs
We start our discussion of the role of nondeterminism with the basic case of regular programs. Recall that DL and DDL denote the logics of nondeterministic and deterministic regular programs, respectively. For the purpose of this subsection, x the vocabulary to consist of two unary function symbols f and g. Any given nonempty pre x-closed subset A f0; 1g determines a structure A = (A; f A ; gA ), where w 0; if w 0 2 A A f (w) = w; otherwise. In the above de nition, w 0 denotes the result of concatenating 0 at the right end of word w. The de nition of gA is similar with 1 replacing 0. Such structures are called treelike structures . Throughout this subsection, we will be referring to the algebra A by indicating its carrier A. This will not lead to confusion. In particular, we will be interested in the algebras Tn = fw 2 f0; 1g j jwj ng for n 2 N . The main combinatorial part of our proof demonstrates that the number of elements of Tn that a deterministic regular program can visit is at most polynomial in n. Thus, for suciently large n, there will be elements in Tn that are not visited during a computation starting from the root of Tn . This bound depends on the program|the larger the program, the larger n will be. On the other hand, the following simple nondeterministic regular program visits all the elements of any Tn : while x 6= y? do (x := f (x) [ x := g(x)): Thus, the formula ' = 9x 8y <while x 6= y? do (x := f (x) [ x := g(x))>1 (15.3.1) states that there is an element from which every element of the domain is reachable by a nite number of applications of the operations f and g. It can be shown that this formula is equivalent to no formula of DDL.
MIT Press Math7X9/2000/06/30:10:36 Page 356
356
Chapter 15
For technical reasons, we represent while programs here as consisting of labeled statements. Thus, deterministic while programs contain the following three kinds of statements:
` : xi := (xj ), where (xj ) is either xj , f (xj ), or g(xj ); ` : halt; ` : if xi = xj then `0 else `00 . The computational behavior of a program in a structure A f0; 1g is represented by a sequence of states = (`1 ; a1 ); : : : ; (`i ; ai ); : : : , where `i is a label of the statement to be executed at the ith step and ai is the vector of current values stored in the registers of . To represent a computation of , must satisfy the following properties:
(`1 ; a1 ) is the initial state; that is, `1 is the label of the rst statement to be
executed by , and a1 represents the input. To move from (`i ; ai ) to (`i+1 ; ai+1 ), the statement labeled `i is executed, which determines the next statement `i+1 , and ai+1 is the vector of the new values after executing `i . If `i is a label of halt, then there is no next state. By an L-trace of a computation we mean the sequence Ltr () = `1 ; : : : ; `n ; : : : of labels of the consecutive statements of . Let Cmp (; A) denote the set of all computations of in A. Call a computation terminating if it is nite and the last pair of contains the halt statement. Since we are dealing with deterministic programs, every nonterminating nite computation can be uniquely extended to a longer computation. The length of a computation is the number of pairs in it. Let LtrCmp (; A; n) denote the set of all L-traces of computations of in A whose length is at most n. Let L = `1 ; `2 ; : : : be a sequence of labels. We de ne a formal computation of along L as a sequence t0 ; t1 ; : : : of k-tuples of terms, where k is the number of registers of . This sequence represents a history of values that are stored in registers, assuming that the computation followed the sequence L of labels. The values are terms. They depend on the input, which is represented by variables1 1 We do not make a clear distinction between registers of a program and variables. We usually think of registers as part of the computer on which the program is being executed, while variables are part of a formal language (usually they appear in terms) that is used to describe properties of a computation.
MIT Press Math7X9/2000/06/30:10:36 Page 357
Expressive Power
357
x1 ; : : : ; xk . Let 1 i k and 0 m < jLj. We de ne tmi by induction on m: t0i def = xi
(tmj ); if `m is a label of xi := (xj ) tmi ; otherwise. In the above formula, we use the abbreviation (x) to denote one of x; f (x) or g(x). Take any sequence L = `1 ; `2 ; : : : of labels and a formal computation t0 ; t1 ; : : : of along L. For registers xi and xj of , we say that xi and xj witness a left turn at the mth step of L and write WL (i; j ) = m if m > 0 is the smallest number such that `m;1 is a label of a statement if xp = xq then `m else `0 , the element tm p contains the variable xi , and tm q contains the variable xj (or conversely). If there is no such m, then we say that xi and xj do not witness a left turn, and in that case we let WL (i; j ) = 0. The general form of a term is 1 m (x), where each i is either f or g. Taking tmi +1 def =
into account the interpretation of function symbols in A, we can represent such a term by the word xwm w1 , where wi 2 f0; 1g is 0 if i is f and to 1 if i is g. This representation of a term supports the intuition that, given a value for x as a word u 2 A, the result of evaluating this term is obtained from u by traveling along the path w = wm w1 . Of course, we apply here our convention that we follow the path w as long as we stay within the elements of A, i.e. the \true" result is uwn w1 , where wn w1 is the longest pre x of w such that uwn w1 2 A. Lemma 15.13: Let be a deterministic while program, and let ; 0 2 Cmp (; Tn ) be computations with input values a and a0 , respectively. Let L = Ltr () and L0 = Ltr (0 ) be the L-traces of the corresponding computations. As-
sume that (i) jLj = jL0 j, (ii) For all 1 i; j k, WL (i; j ) = WL (i; j ), (iii) For all 1 i k, jai j = ja0i j. Then L = L0 . 0
Proof Let L = `1; `2 ; : : : and L0 = `01 ; `02 ; : : : . We prove by induction on 0 < m < jLj that `m = `0m for all m. For m = 1, this is obvious, since `1 = `01 is the label of the start statement of . Let 1 < m < jLj and assume that `r = `0r for all r < m. Consider the statement labeled `m;1 = `0m;1 . If this is an assignment statement, then the next statement
MIT Press Math7X9/2000/06/30:10:36 Page 358
358
Chapter 15
is uniquely determined by , hence `m = `0m . Assume now that `m;1 labels if xp = xq then ` else `0 and `m = `, `0m = `0 , ` 6= `0 . If there exist 1 i; j k such that WL (i; j ) = m, then WL (i; j ) = m and `m = `0m. So assume now that WL (i; j ) 6= m; 1 i; j k: (15.3.2) ;1 Consider a formal computation t0 ; t1 ; : : : ; tm;1 of along `1 ; : : : ; `m;1 . Let tm p = xi w and tmq ;1 = xj w0 , for some 1 i; j k, and let w; w0 2 Tn. Thus, we have Tn j= ai w = aj w0 (15.3.3) 0 0 0 Tn j= ai w 6= aj w : (15.3.4) Let m0 = WL (i; j ). It follows from (15.3.3) that m0 > 0, and by (15.3.2) we conclude that m0 < m. It also follows from (15.3.3) that ai is a pre x of aj , or conversely, aj is a pre x of ai . Without loss of generality we may assume the former. Hence, for some 2 f0; 1g, we have Tn j= aj = ai : (15.3.5) 0
By (15.3.4) and (iii), we have Tn j= a0j 6= a0i : (15.3.6) Since at step m0 both computations run through the \yes"-branch of some if-then-else statement, it follows that for some u; u0 2 f0; 1g we have Tn j= ai = aj u0 and Tn j= a0i u = a0j u0 : (15.3.7) Again, by (iii) and (15.3.7) it follows that there is a common 0 2 f0; 1g such that Tn j= aj = ai 0 and a0j = a0i 0 : Thus, by (15.3.5) we have = 0 , which yields a contradiction with (15.3.6). This completes the proof.
Let be a deterministic while program with k registers. Then for all n; p 2 N we have 2 #LtrCmp (; Tn ; p) nk pk : Lemma 15.14:
Proof It follows from Lemma 15.13 that an L-trace L of a given length r p is
MIT Press Math7X9/2000/06/30:10:36 Page 359
Expressive Power
359
uniquely determined by the left-turn-witness function 2WL and the length of the input data. The number of possible functions WL is rk pk2 , and the number of possible lengths of values for k input variables in Tn is nk . 2Thus the total number of all L-traces of length at most p is no greater than nk pk . Lemma 15.14 fails for nondeterministic programs. It holds for programs that are more powerful than while programs, though they still have to be deterministic. For every 1 i k, we de ne a function Gi : N ! N as follows. For n 2 N , Gi (n) is the maximum number m 2 N such that there is a computation 2 Cmp (; Tn ) and an i-element set B Tn such that for m consecutive steps of (not necessarily starting at the beginning of the computation), some registers of store all the elements of B . Moreover, we require that no state in repeats. Observe now that the number of states of the program is at most 2cnk , where c > 0 depends on jj. Thus
Gi (n) 2cnk holds for all 1 i k. We show that the Gi can in fact be bounded by a polynomial in n. Clearly, Gk (n) jj for all n 2 N . Lemma 15.15:
For every 1 i < k and n 1,
Gi (n) (n + 1)Gi+1 (n) + jjk+1 nk3 +k2 : Proof Take any 1 i < k and n 1. Let B Tn be an i-element set. Let 2 Cmp (; Tn ) be a computation without repeating states. Moreover, assume that starting from step p 1, the values from B occur in every state after the pth state. For any q 0, let V (B; q) be the set of values obtainable from B within q steps of . The precise de nition is by induction on q:
V (B; 0) = B , w 2 V (B; q + 1) i either w 2 V (B; q) or there exist r > p, registers xj1 ; xj2 of , and a value u 2 V (B; q) such that w = u 0 or w = u 1, u occurs in the rth step of in register xj1 , and the rth statement of is xj2 := f (xj1 ) or xj2 := g(xj1 ), depending on whether w = u 0 or w = u 1.
Take any state (`; a) that occurs in at position q > p. Let m n, and assume that q + (m + 1)Gi+1 (n) < jj. Let (`0 ; b) be a state that occurs in at position
MIT Press Math7X9/2000/06/30:10:36 Page 360
360
Chapter 15
q + (m + 1)Gi+1 (n). We prove the following property: For all 1 j k; (jbj j = m =) bj 2 V (B; m)): (15.3.8) The proof is by induction on 0 m n. Let m = 0, and assume that jbj j = 0. Since there is no way to set a register to value " other than by assigning to it the contents of another register containing ", it follows that " must have been stored in registers throughout . If " 62 B , then B [ f"g has been stored in states of from the pth step on. There are more than Gi+1 (n) steps in after the pth (since p + Gi+1 (n) < q + Gi+1 (n) < jj), and we obtain a contradiction. Hence, " 2 B and bj 2 V (B; 0). For the induction step, let 0 < r n, and assume that (15.3.8) holds for all m < r. Assume that q + (r + 1)Gi+1 (n) < jj and let (`0 ; b) be a state that occurs in in position q + (r + 1)Gi+1 (n). Let 1 j k be such that jbj j = r. If bj 62 B , then bj must have been created sometime after step q + rGi+1 (n). Thus, there is a state (`00 ; b0 ) at a position later than q + rGi+1 (n) such that the value bj was obtained in a certain register x from a certain b0j1 via an assignment of the form x := f (xj1 ) or x := g(xj1 ). Thus jb0j1 j = r ; 1. By the inductive hypothesis, we have b0j1 2 V (B; r ; 1), therefore bj 2 V (B; r) as required. This proves (15.3.8). It follows from (15.3.8) that all values occurring in after step p+(n+1)Gi+1 (n) belong to V (B; n). Thus, after p + (n + 1)Gi+1 (n) + jj #V (B; n)k steps of , at least one state must repeat. Therefore,
Gi (n) (n + 1)Gi+1 (n) + jj #V (B; n)k : By Lemma 15.14, we have that the number of possible L-traces of fragments of computations of of length at most n is no greater than jjnk nk2 . Thus 2
#V (B; n) jjnk +k : From this we obtain
Gi (n) (n + 1)Gi+1 (n) + jjk+1 nk3 +k2 ; which completes the proof.
Let Moves(; Tn ) be the set of all words w 2 f0; 1g such that there is a terminating computation 2 Cmp (; Tn ) and a variable x such that xw occurs in the formal computation along Ltr (). Thus, Moves(; Tn ) is the set of all possible moves that can perform on one of its inputs in a terminating computation. It turns out that this set is polynomially bounded.
MIT Press Math7X9/2000/06/30:10:36 Page 361
Expressive Power
Proposition 15.16:
stant c > 0 such that
361
For every deterministic while-program there is a con5
#Moves(; Tn ) (jjn)ck : Proof It follows from Lemma 15.15 that G0 (n), the maximum number of steps makes in Tn before terminating or repeating a state, is at most
k jjk+1 (n + 1)k nk3 +k2 (jjn)c k3 for some c0 > 0, which depends on . Thus, by Lemma 15.14, the number of dierent L-traces of terminating computations in Tn is at most (jjn)c k5 for some c00 > 0. Since an L-trace L of length p brings at most kp terms in the formal computation along L, it follows that #Moves(; Tn ) k(jjn)c k3 (jjn)c k5 (jjn)ck5 for a suitable c > 0. This completes the proof. For a word w 2 f0; 1g, let 0
00
0
00
T (w) def = fwn u j n 2 N ; u 2 f0; 1g; and juj jwjg:
This set can be viewed as an in nite sequence of the trees Tjwj connected along the path w. Let be a deterministic while program with k registers, and let w 2 f0; 1g be a word of length n 2k. If w 62 Moves(; Tn ), then unwinds in T (w). Proposition 15.17:
Proof Let have registers x1 ; : : : ; xk , and choose n with n 2k. We shall describe a deterministic while program whose computation in Tn for a specially chosen input will simulate the computation of in T (w) for every w with jwj = n. In fact, will not depend on w; the correctness of the simulation will follow from the choice of a suitable input for . If we view T (w) as consisting of an in nite number of copies of Tn , each connected along w to the next copy, then will be doing the same in one block of Tn as does in T (w). Obviously, has to remember when values stored in the registers of enter the same block. The assumption that w 62 Moves(; Tn ) implies that no value of can be moved all the way along w. The program has k registers x1 ; : : : ; xk that will hold the values of the registers of truncated to a single Tn . It has two registers b and e, which will be initialized
MIT Press Math7X9/2000/06/30:10:36 Page 362
362
Chapter 15
to the root of Tn and the node w, respectively.2 In addition, the program has k registers z1 ; : : : ; zk , where zi stores the name of the block in which has the value stored in xi . These names are represented by words of the form 0m , where 1 m 2k. The essential information, sucient to carry out the simulation, is whether two variables store a value from the same block or from adjacent blocks. Two values that are at least one block apart are not accessible from each other. For each statement in of the form ` : xi := xj ; 2 f0; 1; "g; the program will have the corresponding statement ` : xi := xj ; if xi = e then zi := 0 zi ; xi := b else zi := zj : Each statement of of the form ` : if xi = xj then `0 else `00 is replaced in by ` : if xi = xj ^ zi = zj then `0 else `00 : Let us now take any w 2 f0; 1g with jwj = n. Every value a 2 T (w) can be uniquely represented as a = wm u, where m 0, juj n, and u 6= w. Given an initial valuation v for in T (w), where v(xi ) = wmi ui (with jui j n and ui 6= w), we de ne an initial valuation v for in Tn as follows: v (xi ) = ui v(b) = " v(e) = w v (zi ) = 0p ; where p in the above de nition is the position of mi in the set fmj j j = 1; ; kg [ fmj + 1 j j = 1; ; kg; counting from the smallest to the largest element starting from 1. The above enumeration of blocks takes into account whether two values are in the same block or in adjacent blocks or whether they are at least one full block apart. Now, if w 62 Moves(; Tn ), then terminates in T (w) for the initial evaluation v i terminates in Tn for the corresponding evaluation v. (An easy proof of this is left 2 We do not x the word w at this stage|it will be introduced via a suitable valuation.
MIT Press Math7X9/2000/06/30:10:36 Page 363
Expressive Power
363
to the reader.) Morever, the simulation of by is faithful, in the sense that for every step of there are at most 4 steps of after which the above described correspondence [v 7! v] between valuations is maintained. Thus, terminates in T (w) for an input v i it terminates in at most j j n2k+2 steps. Hence unwinds in T (w). For every nite set f1 ; : : : ; p g of deterministic while programs over the vocabulary containing two unary function symbols, there is a word w 2 f0; 1g such that each i unwinds in T (w). Proposition 15.18:
Proof Take n suciently large that p [ n f0; 1g ; Moves(i ; Tn) = 6 i=1
?:
By Proposition 15.16, there is such anSn. Then by Proposition 15.17, each i unwinds in T (w), where w 2 f0; 1gn ; pi=1 Moves(i ; Tn ).
Observe that the in nite structure T (w) is constructed separately for each nite set f1 ; : : : ; p g of deterministic while programs. That is, we do not construct one structure in which all deterministic while programs unwind. Still, it is enough for our purposes in this section. In fact, a stronger result can be shown. There exists an in nite treelike structure A in which all deterministic while programs unwind. Theorem 15.19:
We do not prove this result here, since the proof is quite complicated and technical. The main idea is to build an in nite treelike structure A as a limit of a sequence of nite treelike structures. This sequence is constructed inductively in such a way that if a deterministic while program tries to follow one of the very few in nite paths in A, then it must exhibit a periodic behavior. The interested reader is referred to Urzyczyn (1983b) for details. We can now state the main result that separates the expressive power of deterministic and nondeterministic while programs. For every vocabulary containing at least two unary function symbols or at least one function symbol of arity greater than one, DDL is strictly less expressive than DL; that is, DDL < DL. Theorem 15.20:
MIT Press Math7X9/2000/06/30:10:36 Page 364
364
Chapter 15
Proof For the vocabulary containing two unary function symbols, the theorem is an immediate corollary of Proposition 15.18 and Theorem 15.4. The case of a vocabulary containing a function symbol of arity greater than one is easily reducible to the former case. We leave the details as an exercise (Exercise 15.3).
It turns out that Theorem 15.20 cannot be extended to vocabularies containing just one unary function symbol without solving a well known open problem in complexity theory. For every rich mono-unary vocabulary, the statement \DDL is strictly less expressive than DL" is equivalent to LOGSPACE 6= NLOGSPACE . Theorem 15.21:
Proof This follows immediately from the Spectral Theorem (Theorem 15.11), Proposition 15.9 (ii), and Theorem 13.11.
Boolean Stacks We now turn our attention to the discussion of the role non-determinism plays in the expressive power of regular programs with a Boolean stack. We will show that for a vocabulary containing at least two unary function symbols, nondeterminism increases the expressive power of DL over regular programs with a Boolean stack. There are two known approaches to proving this result. These are similar in terms of the methods they use|they both construct an in nite treelike algebra in which deterministic regular programs with a Boolean stack unwind. This property is achieved by exhibiting a periodic behavior of deterministic regular programs with a Boolean stack. We sketch the main steps of both approaches, leaving out the technical details that prove the periodicity. For the rest of this section, we let the vocabulary contain two unary function symbols. The main result of the section is the following. For a vocabulary containing at least two unary function symbols or a function symbol of arity greater than two, DL(dbstk) < DL(bstk). Theorem 15.22:
For the purpose of this section, we augment the deterministic while programs of Section 15.3 with instructions to manipulate the Boolean stack. Thus, a computation of a program with a Boolean stack is a sequence of the form (`1 ; a1 ; 1 ); : : : ; (`i ; ai ; i ); : : : where `i is a label of the statement to be executed at the ith step, ai is a vector of
MIT Press Math7X9/2000/06/30:10:36 Page 365
Expressive Power
365
current values stored in the registers of prior to the ith step and i 2 f0; 1g is the contents of the Boolean stack prior to the ith step. We do not assume here that `1 is the label of the rst instruction of , nor that 1 is empty. If for every n 0 the number of push statements is greater than or equal to the number of pop statements during the rst n steps (`1 ; a1 ; 1 ); : : : ; (`n ; an ; n ); then such a computation will be called legal . Let A be a -structure, let r > 0, and let be a deterministic while program with a Boolean stack. A computation (`1 ; a1 ; 1 ); : : : ; (`i ; ai ; i ); : : : of in A is said to be strongly r-periodic if there is n < r such that for all i 2 N , `n+i = `n+r+i and an+i = an+r+i : A program is said to be uniformly periodic in A if for every 2 f0; 1g there exists r > 0 such that for every label ` and every vector a of values, the computation that starts from (`; a; ) is strongly r-periodic. Let m 2. A computation (`1 ; a1 ; 1 ); : : : ; (`i ; ai ; i ); : : : is said to be upward periodic for m-periods if there exist r > 0 and n < r such that for all 0 i < (m ; 1)r, `n+i = `n+r+i; and moreover, the computation (`n ; an ; n ); : : : ; (`n+r;1 ; an+r;1; n+r;1 ) is legal. Hence, the sequence of labels repeats for m times, and each of the m cycles is legal, i.e. it never inspects the contents of the Boolean stack with which the cycle started.
Adian Structures
Adian structures arise from the well known solution to the Burnside problem in group theory. In 1979, S. I. Adian proved that for every odd n 665 there exists an in nite group Gn generated by two elements satisfying the identity xn = 1, where 1 is the unit of the group (Adian (1979)).
MIT Press Math7X9/2000/06/30:10:36 Page 366
366
Chapter 15
Every such group Gn induces in a natural way a -algebra Gn =
f (x) = ax;
g(x) = bx;
where a and b are the generators of Gn . Since in Gn we have a;1 = an;1 and b;1 = bn;1, it follows that every term over Gn can be represented by a string in fa; bg, assuming that the unit 1 is represented by the empty string ". Thus Gn induces an equivalence relation on f0; 1g: for u; w 2 f0; 1g, u w i the terms obtained from u and w by replacing 0 with a and 1 with b are equal in Gn . The quotient f0; 1g= can be viewed as an in nite directed graph in which every node is of out-degree 2. This graph is not a treelike structure, since it contains loops of length greater than 1. It might also be possible that for paths u; w 2 f0; 1g we have 0u 1w. Cyclicity of Gn implies periodic behavior of deterministic while programs with a Boolean stack. The reader interested in the details of the proof of the following result is referred to Stolboushkin (1983). For every odd n 665, any deterministic while program with a Boolean stack is uniformly periodic in Gn . Theorem 15.23:
It follows immediately from Theorem 15.23 that every deterministic while program with a Boolean stack unwinds in Gn . On the other hand, the ordinary non-deterministic regular program
x := " ; x := g(x)
does not unwind in Gn . Hence, Theorem 15.22 follows immediately from Theorem 15.4.
Traps
The method of trapping programs from a given class K of programs consists of building a treelike structure A satisfying the following two properties:
Programs from K, when computing in A, exhibit some form of limited periodic
behavior. The structure A contains only one in nite path, and this path has the property that there are very few repetitions of subwords on that path.
MIT Press Math7X9/2000/06/30:10:36 Page 367
Expressive Power
367
As a result of these two properties, no computation in A can stay for a suciently long time on that in nite path. This yields the unwind property in A of programs from K. Of course, in this section we are only interested in deterministic regular programs with a Boolean stack. Let m 2, and let T be a class of treelike structures. We say that a program exhibits m repetitions in T if there exists n 2 N such that for every A 2 T, each legal fragment of length n of any computation of in A is upward periodic for m periods. We stress that the bound n is uniform for all structures in T. Let A be a treelike structure and let n 0. We say that level n is incomplete in A if there is w 2 A such that jwj = n and either w0 62 A or w1 62 A. Otherwise, level n in A is said to be complete. The treelike structure A is called p-sparse if every two incomplete levels in A are separated by at least p complete levels. The following theorem is the main tool used in establishing limited periodic behavior of deterministic while programs with a Boolean stack when the programs are run over certain treelike structures. For every deterministic while program with a Boolean stack and for every m 2, there exists p 2 N such that exhibits m repetitions over the class of all p-sparse structures. Theorem 15.24:
We are now ready to build a trap. For every nite set f1 ; : : : ; n g of deterministic while programs with a Boolean stack, there is an in nite treelike structure A such that every i unwinds in A. Theorem 15.25:
Proof Let W be an in nite cube-free string; that is, no nite non-empty string of the form uuu is a substring of W . It is known that such strings exist (see Salomaa (1981)). Let k be an upper bound on the number of registers used by each i . It is not hard to prove that there exists a number r 2 N such that for every function f : f1; : : : ; kg ! f1; : : : ; kg, the rth power f r of f is idempotent; that is, f r f r = f r . We x such an r and let m = 4r. We now apply Theorem 15.24 to m and to each i . Let pi 2 N be such that i exhibits m repetitions over the class of pi -sparse structures. Clearly, we can choose a common p by taking the largest pi . We now cut W into pieces, each of length p; that is, W = w1 w2 , where
MIT Press Math7X9/2000/06/30:10:36 Page 368
368
Chapter 15
jwi j = p for all i 1. Our trap structure is de ned as follows. A def = fu 2 f0; 1g j 9j 0 9u0 2 f0; 1g u = w1 w2 wj u0 and ju0j < pg: The set A can be viewed as sequence of blocks of full binary trees of depth p connected along the in nite path W . Since A is p-sparse, it follows that every i exhibits m repetitions in A. Let q 0 be such that every legal fragment of length q of any computation of i in A is upward periodic for m-periods. Take any computation of i that starts with an empty stack and any initial valuation in A. Assume that the computation is of length at least q, and consider the rst q steps in this computation. Thus, this fragment is upward periodic for m periods. Consider the rst period. After it has been completed, the value of any register, say xj , depends on the value of a certain register xj at the entering point of this period. That is, upon completing the rst period, xj is equal to xj for a certain 2 f0; 1g. This gives rise to a function f : f1; : : : ; kg ! f1; : : : ; kg whose value at j is f (j ) = j 0 . Thus, after r periods, the contents of register xj depends on the value stored in register xf r (j) at the beginning of the rst period. By the same argument, it follows that after 2r periods, the contents of xj depends on the value stored in register xf r (j) at the beginning of the (r + 1)st period. The latter value depends on the contents stored in register xf r f r (j) = xf r (j) at the beginning of the rst period. It follows that after 4r periods, the value stored in xj is obtained from the value stored in xf r (j) at the beginning of the rst period by applying a term of the form 1 2 2 2 . We have shown that after 4r periods, all values stored in registers of every i are outside the path W . Therefore, the computation cannot proceed to the next block, which implies that every program i unwinds in A. 0
0
We now derive Theorem 15.22 from Theorem 15.25 in exactly the same way as in the case of Adian structures and Theorem 15.23.
Algebraic Stacks and Beyond It turns out that for programming languages that use suciently strong data types, nondeterminism does not increase the expressive power of Dynamic Logic. Theorem 15.26:
For every vocabulary,
(i) DL(dstk) DL(stk). (ii) DL(darray) DL(array).
MIT Press Math7X9/2000/06/30:10:36 Page 369
Expressive Power
369
Proof Both parts follow immediately from the Spectral Theorem (Theorem 15.11), Proposition 15.9, and either Theorem 13.12 for case (i) or Theorem 13.13 for case (ii). It can be shown that even though r.e. programs are not divergence closed, nondeterminism does not increase the expressive power. We leave this as an exercise (see Exercise 15.2).
15.4 Unbounded Memory In this section we show that allowing unbounded memory increases the expressive power of the corresponding logic. However, this result depends on assumptions about the vocabulary . Recall from Section 11.2 that an r.e. program has bounded memory if the set CS () contains only nitely many distinct variables from V , and if in addition the nesting of function symbols in terms that occur in seqs of CS () is bounded. This restriction implies that such a program can be simulated in all interpretations by a device that uses a xed nite number of registers, say x1 ; : : : ; xn , and all its elementary steps consist of either performing a test of the form r(xi1 ; : : : ; xim )?; where r is an m-ary relation symbol of , or executing a simple assignment of either of the following two forms: xi := xj : xi := f (xi1 ; : : : ; xik ) In general, however, such a device may need a very powerful control (that of a Turing machine) to decide which elementary step to take next. An example of a programming language with bounded memory is the class of regular programs with a Boolean stack. Indeed, the Boolean stack strengthens the control structure of a regular program without introducing extra registers for storing algebraic elements. We leave it as an exercise (Exercise 15.5) to prove that regular programs with a Boolean stack have bounded memory. On the other hand, regular programs with an algebraic stack or with arrays are programming languages with unbounded memory. It turns out that the results on expressive power depend on assumptions on the vocabulary. Recall that a vocabulary is polyadic if it contains a function symbol of arity greater than one. Vocabularies whose function symbols are all unary are called monadic . We begin our discussion with polyadic vocabularies and then move to the more dicult case of monadic ones.
MIT Press Math7X9/2000/06/30:10:36 Page 370
370
Chapter 15
Polyadic Vocabulary We need some technical machinery for the proof of the main result of this section. We rst discuss pebble games on dags, then exhibit a dag that is hard to pebble. The technical results will be used in the proof of Proposition 15.29.
A Pebble Game on Dags Let D = (D; !D ) be a dag, and let n 1. We describe a game on D involving n
pebbles. The game starts with some of the pebbles, perhaps all of them, placed on vertices of D, at most one pebble on each vertex. A move consists of either removing pebbles from the graph or placing a free pebble on some vertex d. The latter move is allowed only if all direct predecessors of d (vertices c such that c !D d) are pebbled, i.e., are occupied by pebbles. We also allow a pebble to be moved from a predecessor of d directly to d, provided all predecessors of d are pebbled. The rules of the n-pebble game can be expressed more precisely by introducing the notion of an n-con guration and the relation of succession on the set of ncon gurations. An n-con guration C is any subset of D of cardinality at most n. For n-con gurations C and C 0 , we say that C 0 n-succeeds C if either of the following two conditions hold: (i) C 0 C ; or (ii) for some d, C 0 ; C = fdg and fc 2 D j c !D dg C . A sequence of n-con gurations C0 ; C1 ; : : : ; Cm is called an n-pebble game if Ci+1 n-succeeds Ci for 0 i m ; 1. The following lemma is useful for transforming an n-pebble game into an (n ; 1)pebble game. It will be applied to a special dag constructed in the next section. Lemma 15.27:
Let D = (D; !D ) be a dag, and let a 2 D. De ne
A def = fd j a !D dg;
where !D is the re exive transitive closure of !D . Let C0 ; : : : ; Cm be an n-pebble game in D, n 2. Suppose that for every 0 i m, A \ Ci 6= ?. Then there is an (n ; 1)-pebble game B0 ; : : : ; Bm such that m [
i=0
Ci A [
m [
i=0
Bi :
(15.4.1)
Proof For each 0 i m, let Bi = Ci ; A. Surely, (15.4.1) holds. Since A and
MIT Press Math7X9/2000/06/30:10:36 Page 371
Expressive Power
371
Ci intersect, Bi is an (n ; 1)-con guration. It remains to show that Bi+1 (n ; 1)succeeds Bi for 0 i m ; 1. In case (i), we have Ci+1 Ci , so that Bi+1 Bi as well. In case (ii), we have Ci+1 ; Ci = fdg. Either d 2 A, in which case Bi+1 Bi ; or d 62 A, in which case Bi+1 ; Bi = fdg. However, if d 62 A, then no predecessor of d is in A, and since fc j c !D dg Ci , we must have fc j c !D dg Bi too.
A Hard Dag
In this section we describe a dag that cannot be pebbled with nitely many pebbles. Let A def = (N ; !A ) be a dag de ned as follows.
!A def = f(n; n + 1) j n 2 Ng [ f(n; 2n + 1) j n 2 Ng [ f(n; 2n + 2) j n 2 Ng: The dag A can be viewed as a union of the chain of successive natural numbers and the in nite binary tree that has 0 as its root and for each n has 2n + 1 as the left child and 2n + 2 as the right child. A parent of the node n is b(n ; 1)=2c (we will call it a tree-parent of n). Observe that
n !A m () n m: Let C N and k 2 N. We de ne the k-neighborhood of C , denoted N (C; k), by
N (C; k) def = fj 2 N j (9i 2 C [ f0g) i j i + kg: Finally, de ne a function f : N ! N inductively, by f (0) def = 0;
f (n + 1) def = 4(n + 1)(f (n) + 1): The following lemma shows that A cannot be pebbled with nitely many pebbles. Lemma 15.28: For every n 1 and for every n-con guration C of C; C1 ; : : : ; Cr is an n-pebble game in A, then Cr N (C; f (n)).
A, if
Proof We prove the result by induction on n. For n = 1, the result is obvious.
MIT Press Math7X9/2000/06/30:10:36 Page 372
372
Chapter 15
For n > 1, assume that there is an n-con guration C of A and an n-pebble game C; C1 ; : : : ; Cr in A such that for some k 2 Cr , k 62 N (C; f (n)). We will nd an (n ; 1)-con guration and an (n ; 1)-pebble game that contradict the conclusion of the lemma. Let j 2 C [ f0g be the largest element such that j < k. It follows that f (n) < k ; j . Let m = d(k ; j + 1)=2e + j + 1, which is roughly the middle of the interval between j and k. Observe that this interval does not contain any node from C . In order to move a pebble from j to k, the n-game C; C1 ; : : : ; Cr must have moved at least one pebble through all the intermediate nodes. Let i0 be the smallest number such that m 2 Ci0 and each con guration after Ci0 contains a node between m and k. In order to move a pebble through all these nodes, we must also move a pebble through the tree-parents of these nodes. Call these tree-parent nodes red. Since the tree-parent of a node i > 0 is b(i ; 1)=2c, it follows that all red nodes are smaller than or equal to b(k ; 1)=2c. On the other hand we have
d(k ; j + 1)=2e + j + 1 k + 2j + 3 > bk=2c; thus m > bk=2c, so every red node is smaller than m. We can now apply Lemma 15.27 to A, the node m, and the n-pebble game Ci0 ; : : : S ; Cr . We obtain an (n ; 1)-pebble game B1 ; : : : ; Bp such that every red node is in pi=1 Bi . By the inductive hypothesis, we have
S # pi=1 Bi #N (B1 ; f (n ; 1)) n(f (n ; 1) + 1):
(15.4.2)
On the other hand, the number of red nodes is half the number of nodes in the interval m through k; that is, it is at least (k ; j )=2. We thus have
k ; j > f (n) = 2n(f (n ; 1) + 1): 2 2
Thus, the number of red nodes is larger than n(f (n ; 1) + 1), which contradicts (15.4.2). This completes the induction step.
The Unwind Property
We rst de ne a structure A def = (N ; g; 0)
MIT Press Math7X9/2000/06/30:10:36 Page 373
Expressive Power
373
over the vocabulary that consists of one constant symbol 0 and one binary function symbol g : N 2 ! N de ned as follows: n + 1; if n > 0 and m = b(n ; 1)=2c def g(m; n) = 0; otherwise. We can now prove the main technical result of this section. Proposition 15.29:
Every r.e. program with bounded memory unwinds in A.
Proof Let be an r.e. program with bounded memory, and let CS () = fi j i 2 Ng. Let x1 ; : : : ; xn be all the variables that occur in seqs of CS (). We claim that each seq i 2 CS () can be viewed as a simultaneous assignment
(x1 ; : : : ; xn ) := (t1;i ; : : : ; tn;i ); which is performed subject to the satis ability of a quanti er-free condition (guard) 'i . In other words, i is equivalent to 'i ? ; (x1 ; : : : ; xn ) := (t1;i ; : : : ; tn;i ): This claim can be proved by a routine induction on the number of steps in i , and we leave it to the reader. From now on, we assume that the seqs in CS () are of the above form. Let T () be the least set of terms that contains all terms occurring in CS () and that is closed under subterms. For every a1 ; : : : ; an 2 N , let
T A(a1 ; : : : ; an ) def = ftA (a1 ; : : : ; an ) j t 2 T ()g: Observe that every element in b 2 T A(a1 ; : : : ; an ) can be computed by simple assignments using only n variables. Hence b can be viewed as being reachable by an n-pebble game from the initial con guration fa1 ; : : : ; an g. It follows from Lemma 15.28 that T A(a1 ; : : : ; an ) N (fa1 ; : : : ; an g; f (n)); thus #T A (a1 ; : : : ; an ) (n + 1) (f (n) + 1): (15.4.3) We can conclude that the computation starting from any given input lies in the partial subalgebra of A of cardinality (n + 1) (f (n) + 1). Since the number of pairwise non-isomorphic partial subalgebras of A of
MIT Press Math7X9/2000/06/30:10:36 Page 374
374
Chapter 15
bounded cardinality is nite, it follows that there exists m 0 such that and 1 [ [ m represent the same input-output relation in A. To see this, suppose that we have two isomorphic partial subalgebras of A, say (B1 ; a1 ; : : : ; an ) and (B2 ; b1 ; : : : ; bn). Moreover, assume that the computation of for input a1 ; : : : ; an lies in B1 , and similarly that the computation of for input b1 ; : : : ; bn lies in B2 . Then fi 2 N j B1 j= 'i (a1 ; : : : ; an )g = fi 2 N j B2 j= 'i (b1 ; : : : ; bn)g: Let I denote this set. It follows from (15.4.3) that the set f(tA1;i (a1 ; : : : ; an); : : : ; tAn;i (a1 ; : : : ; an )) j i 2 I g is nite. Let m 2 N be such that f(tA1;i (a1 ; : : : ; an); : : : ; tAn;i (a1 ; : : : ; an )) j i 2 I g = f(tA1;i (a1 ; : : : ; an ); : : : ; tAn;i (a1 ; : : : ; an )) j i 2 I; i mg: It follows that the number m depends only on the isomorphism class of (B1 ; a1 ; : : : ; an ), not on the particular choice of this subalgebra. Since there are only nitely many isomorphism classes of bounded cardinality, it suces to take the largest such m. Then A = 1A [ [ mA ; which completes the proof. Theorem 15.30: For every vocabulary containing at least one function symbol of
arity greater than one, no DL over a programming language with bounded memory is reducible to any DL over a programming language that contains a program equivalent to Next0 . Proof For a vocabulary containing a binary function symbol, the result follows immediately from Proposition 15.29, Theorem 15.4, and Proposition 15.3. The case of a vocabulary containing only function symbols of arity greater than two we leave as an exercise (Exercise 15.8).
For every vocabulary containing a function symbol of arity greater than one, DL(dbstk) < DL(dstk) and DL(bstk) < DL(stk). Theorem 15.31:
Proof This is an immediate corollary of Theorem 15.30 and the fact that regular
MIT Press Math7X9/2000/06/30:10:36 Page 375
Expressive Power
375
programs with a Boolean stack have bounded memory (see Exercise 15.5).
Monadic Vocabulary For monadic vocabularies the situation is much less clear. The method of pebbling, which is applicable to polyadic vocabularies, does not work for monadic vocabularies, since every term (viewed as a dag) can be pebbled with a single pebble. For this reason, formally speaking, the issue of unbounded memory in programs over a monadic vocabulary disappears. Nevertheless, it makes sense to compare the expressive power of regular programs with or without a Boolean stack and programs equipped with an algebraic stack. It is not known whether DL(reg) < DL(stk) holds for monadic vocabularies. For deterministic regular programs, however, we have the following result. Let the vocabulary be rich and mono-unary. Then DL(dreg) DL(dstk) () LOGSPACE = P : Theorem 15.32:
Proof Since deterministic regular programs over mono-unary vocabularies are semi-universal and divergence closed (see Proposition 15.9), the result follows immediately from Theorem 15.11, Theorem 13.12 and Theorem 13.11. The case of poor vocabularies is treated in Exercise 15.12. For monadic vocabularies, the class of nondeterministic regular programs with a Boolean stack is computationally equivalent to the class of nondeterministic regular programs with an algebraic stack (see Exercise 15.11). Hence, we have: Theorem 15.33:
For all monadic vocabularies, DL(bstk) DL(stk).
For deterministic programs, the situation is slightly dierent. Theorem 15.34:
(i) For all mono-unary vocabularies, DL(dbstk) DL(dstk). (ii) For all monadic vocabularies containing at least two function symbols, DL(dbstk) < DL(dstk). Proof Part (i) follows from Exercise 15.10. For part (ii), we observe that DL(bstk) DL(stk); hence, the result follows immediately from Theorem 15.22 and Theorem 15.26.
MIT Press Math7X9/2000/06/30:10:36 Page 376
376
Chapter 15
It is not known whether DL(bstk) < DL(stk) holds for monadic vocabularies. The case of poor vocabularies is treated in the exercises (Exercise 15.12).
15.5 The Power of a Boolean Stack Regular programs with a Boolean stack are situated between pure regular programs and regular programs with an algebraic stack. We start our discussion by comparing the expressive power of regular programs with and without a Boolean stack. The only known de nite answer to this problem is given in the following result, which covers the case of deterministic programs only. If the vocabulary contains at least one function symbol of arity greater than one or at least two unary function symbols, then DL(dreg) < DL(dbstk). Theorem 15.35:
Proof sketch. The main idea of the proof is as follows. We start with an in nite treelike structure A in which all deterministic while programs unwind. Theorem 15.19 provides such structures. Next, we pick up an in nite path in A, cut it into nite pieces, and separate each two consecutive pieces u and w by inserting wR in between them (the string w in reversed order). The hard part is to prove that all deterministic while programs still unwind in the transformed structure. However, it should be much clearer that there is a deterministic while program with a Boolean stack that can follow the entire in nite path; it simply stores on its stack the inserted strings and uses the stored string in order to nd a way through the next piece of the in nite path. The technical details are rather complicated. The reader can consult Urzyczyn (1987) for the details.
It is not known whether Theorem 15.35 holds for nondeterministic programs, and neither is its statement known to be equivalent to any of the well known open problems in complexity theory. In contrast, it follows from Exercise 15.10 and from Theorem 15.32 that for rich mono-unary vocabularies the statement \DL(dreg) DL(dbstk)" is equivalent to LOGSPACE = P . Hence, this problem cannot be solved without solving one of the major open problems in complexity theory. The comparison of the expressive power of a Boolean stack and an algebraic stack is discussed in Theorem 15.31 for polyadic vocabularies and in Theorem 15.33 and Theorem 15.34 for monadic vocabularies.
MIT Press Math7X9/2000/06/30:10:36 Page 377
Expressive Power
377
15.6 Unbounded Nondeterminism The wildcard assignment statement x := ? discussed in Section 11.2 chooses an element of the domain of computation nondeterministically and assigns it to x. It is a device that represents unbounded nondeterminism as opposed to the binary nondeterminism of the nondeterministic choice construct [. The programming language of regular programs augmented with wildcard assignment is not an acceptable programming language, since a wildcard assignment can produce values that are outside the substructure generated by the input. Our rst result shows that wildcard assignment increases the expressive power in quite a substantial way; it cannot be simulated even by r.e. programs. Let the vocabulary contain two constants c1 ; c2 , a binary predicate symbol p, the symbol = for equality, and no other function or predicate symbols. There is a formula of DL(wild) that is equivalent to no formula of DL(r.e.), thus DL(wild) 6 DL(r.e.). Theorem 15.36:
Proof Consider the DL(wild) formula
' def =
<(x
:= c1 ; z := ?; p(x; z )?; x := z )> x = c2 ;
which is true in a structure A i (c1 ; c2 ) belongs to the transitive closure of p. Since the vocabulary contains no function symbols, it follows that every DL(r.e.) formula is equivalent to a rst-order formula. It is well known (and in fact can be proved quite easily by the compactness of predicate logic) that there is no rst-order formula capable of expressing the transitive closure of a binary relation. It is not known whether any of the logics with unbounded memory are reducible to DL(wild). An interesting thing happens when both wildcard and array assignments are allowed. We show that in the resulting logic, it is possible to de ne the niteness of (the domain of) a structure, but not in the logics with either of the additions removed. Thus, having both memory and nondeterminism unbounded provides more power than having either of them bounded. Let vocabulary contain only the symbol of equality. There is a formula of DL(array+wild) equivalent to no formula of either DL(array) or DL(wild). Theorem 15.37:
MIT Press Math7X9/2000/06/30:10:36 Page 378
378
Chapter 15
Proof Let F be a unary function variable and consider the formula
' def =
8y 9x
locations of F . In a model A, the formula ' expresses the fact that we can store all elements of the domain in the variable F in a nite number of steps, thus the domain is nite. That niteness cannot be expressed in DL(array) should be clear: since DL(array) is reducible over this vocabulary to rst-order logic, another routine application of the compactness of predicate logic suces. We show that over our vocabulary, DL(wild) is also reducible to rst-order logic. For this it is enough to observe that for our simple vocabulary, every regular program with wildcard assignments unwinds in every structure. Given a regular program with wildcard assignments, let x1 ; : : : ; xk be all the variables occurring in . Seqs in CS () are sequences of the following three kinds of atomic programs: xi := xj xi := ? '?; where i; j 2 f1; : : : ; kg and ' is a Boolean combination of atomic formulas of the form xi = xj . It is easy to show that for each seq 2 CS (), there is a program and a rst-order formula such that for every structure A, mA () = f(u; v) 2 mA ( ) j u 2 mA ( )g: The program uses only variables from fx1 ; : : : ; xk g, and it is a sequence of assignments (ordinary or wildcard) such that no variable on the left side of an assignment appears twice in . Moreover, is a conjunction of formulas of the form 9xi1 : : : 9xim ', where each xij 2 fx1 ; : : : ; xk g and ' is a Boolean combination of atomic formulas of the form xi = xj . Since there are only nitely many dierent
and satisfying the above conditions, it follows that that there are only nitely many semantically dierent seqs in CS (), therefore unwinds in all structures.
15.7 Bibliographical Notes Many of the results on relative expressiveness presented herein answer questions posed in Harel (1979). Similar uninterpreted research, comparing the expressive power of classes of programs (but detached from any surrounding logic) has taken place under the name comparative schematology quite extensively ever since Ianov (1960); see Greibach (1975) and Manna (1974). The results of Section 15.1 are folklore. However, Kfoury (1985) contained the
MIT Press Math7X9/2000/06/30:10:36 Page 379
Expressive Power
379
rst proposal to use the notion of the unwind property as a tool for separating the expressive power of logics of programs (Theorem 15.4). Kreczmar (1977) studied the unwind property over the elds of real and complex numbers as well as over Archimedian elds (the unwind property for deterministic while programs holds for each of these structures). A systematic study of the unwind property, mainly for regular programs, was carried out in the PhD thesis of Urzyczyn (1983c). The material of Section 15.2, relating spectra of logics of programs to their relative expressive power, is due to Tiuryn and Urzyczyn. It started with Tiuryn and Urzyczyn (1983) (see Tiuryn and Urzyczyn (1988) for the full version). The general Spectral Theorem (Theorem 15.11) is from Tiuryn and Urzyczyn (1984). However, some of the de nitions presented in our exposition are simpler than in the papers cited above. In particular, the notion of admissibility of a programming language has been simpli ed here, and an auxiliary notion of termination subsumption has been introduced. As a result, some of the proofs have become simpler too. In particular, our proof of the Spectral Theorem is simpler than that in Tiuryn and Urzyczyn (1984). The main result of Section 15.3, Theorem 15.20, appears in Berman et al. (1982) and was proved independently in Stolboushkin and Taitslin (1983). These results extend in a substantial way an earlier and much simpler result for the case of regular programs without equality in the vocabulary, which appears in Halpern (1981). A simpler proof of the special case of the quanti er-free fragment of the logic of regular programs appears in Meyer and Winklmann (1982). The proof of Theorem 15.20 presented here is from Tiuryn (1989). Theorem 15.19 is due to Urzyczyn (1983b), and as a corollary it yields Theorem 15.20. Theorem 15.21 is from Tiuryn and Urzyczyn (1984). Theorem 15.22 is from Stolboushkin (1983). The proof, as in the case of regular programs (see Stolboushkin and Taitslin (1983)), uses Adian's result from group theory (Adian (1979)). Theorem 15.23 is also from Stolboushkin (1983). The method of trapping programs is from Kfoury (1985). Theorems 15.24 and 15.25 are from Kfoury (1985). Observe that Theorem 15.25 is strong enough to yield Theorem 15.20. Theorem 15.26 is from Tiuryn and Urzyczyn (1983, 1988). The main result of Section 15.4, Theorem 15.30, is from Erimbetov (1981) and was proved independently by Tiuryn (1981b) (see Tiuryn (1984) for the full version). Erimbetov (1981) contains a somewhat special case of this result, namely that DL(dreg) < DL(dstk). Both proofs applied similar methods: pebble games on nite trees. The proof given here is based on the idea presented in Kfoury (1983). In particular, Proposition 15.29 is from Kfoury (1983). However, the proof of this Proposition was further simpli ed by Kfoury and Stolboushkin (1997). We follow the latter proof in our exposition.
MIT Press Math7X9/2000/06/30:10:36 Page 380
380
Chapter 15
Theorem 15.35 is from Urzyczyn (1987). There is a dierent proof of this result, using Adian structures, which appears in Stolboushkin (1989). Exercise 15.11 is from Urzyczyn (1988), which also studies programs with Boolean arrays. Wildcard assignments were considered in Harel et al. (1977) under the name nondeterministic assignments. Theorem 15.36 is from Meyer and Winklmann (1982). Theorem 15.37 is from Meyer and Parikh (1981). In our exposition of the comparison of the expressive power of logics, we have made the assumption that programs use only quanti er-free rst-order tests. It follows from the results of Urzyczyn (1986) that allowing full rst-order tests in many cases results in increased expressive power. Urzyczyn (1986) also proves that adding array assignments to nondeterministic r.e. programs increases the expressive power of the logic. This should be contrasted with the result of Meyer and Tiuryn (1981, 1984) to the eect that for deterministic r.e. programs, array assignments do not increase expressive power. Makowski (1980) considers a weaker notion of equivalence between logics common in investigations in abstract model theory, whereby models are extended with interpretations for additional predicate symbols. With this notion it is shown in Makowski (1980) that most of the versions of logics of programs treated here become equivalent.
Exercises 15.1. Show that program equivalence is not invariant under elementary equivalence of structures. 15.2. (Meyer and Tiuryn (1981, 1984)) De ne the class of deterministic r.e. programs over a given vocabulary. Show that DL(r.e.) has the same expressive power as DL over deterministic r.e. programs. Notice that r.e. programs are not divergenceclosed. 15.3. In Theorem 15.20, reduce the case of a vocabulary containing a function symbol of arity greater than one to the case of a vocabulary containing two unary function symbols. 15.4. De ne super-atomic seqs as those that use only simple assignments in which the terms have depth at most one. Show that a term t has pebble complexity at most n i there is a super-atomic seq with at most n variables that computes it.
MIT Press Math7X9/2000/06/30:10:36 Page 381
Expressive Power
381
15.5. Show that every nondeterministic while program with a Boolean stack has bounded memory. 15.6. Show that regular programs with an algebraic stack are translatable into regular programs with arrays. (Hint. Prove that for every regular program with an algebraic stack, there is a polynomial p(n) such that in every terminating computation of over an n-element interpretation, the maximal depth of the stack is at most p(n).) 15.7. Prove that regular programs with two algebraic stacks have the same computational power as arbitrary r.e. programs. 15.8. Prove Theorem 15.30 for vocabularies containing only symbols of arity greater than two. 15.9. Show that over a vocabulary containing no function symbols of arity greater than one all terms have pebble complexity one. 15.10. Show that over a mono-unary vocabulary, regular programs with a Boolean stack have the same computational power as regular programs with an algebraic stack. Show that the same result holds for deterministic programs. Conclude that the two version of DL over these programming languages are of equal expressive power. 15.11. Prove that over a monadic vocabulary, nondeterministic regular programs with a Boolean stack have the same computational power as nondeterministic regular programs with an algebraic stack. 15.12. Prove that for any poor vocabulary, (a) DL(stk) DL(array) i DTIME (2O(n) ) = DSPACE (2O(n) ); (b) DL(dreg) DL(reg) i DSPACE (n) = NSPACE (n); (c) DL(dreg) DL(dstk) i DSPACE (n) = DTIME (2O(n) ).
MIT Press Math7X9/2000/06/30:10:36 P age 382
MIT Press Math7X9/2000/06/30:10:36 Page 383
16 Variants of DL In this section we consider some restrictions and extensions of DL. We are interested mainly in questions of comparative expressive power on the uninterpreted level. In arithmetical structures these questions usually become trivial, since it is dicult to go beyond the power of rst-order arithmetic without allowing in nitely many distinct tests in programs (see Theorems 12.6 and 12.7). In regular DL this luxury is not present.
16.1 Algorithmic Logic Algorithmic Logic (AL) is the predecessor of Dynamic Logic. The basic system was de ned by Salwicki (1970) and generated an extensive amount of subsequent research carried out by a group of mathematicians working in Warsaw. Two surveys of the rst few years of their work can be found in Banachowski et al. (1977) and Salwicki (1977). The original version of AL allowed deterministic while programs and formulas built from the constructs
'
[ '
\ '
corresponding in our terminology to <>'
< >'
^
n2!
<n >';
respectively, where is a deterministic while program and ' is a quanti er-free rst-order formula. In Mirkowska (1980, 1981a,b), AL was extended to allow nondeterministic while programs and the constructs r' ' corresponding in our terminology to <>' halt() ^ []' ^ <>'; respectively. The latter asserts that all traces of are nite and terminate in a state satisfying '. A feature present in AL but not in DL is the set of \dynamic terms" in addition to dynamic formulas. For a rst-order term t and a deterministic while program
MIT Press Math7X9/2000/06/30:10:36 Page 384
384
Chapter 16
, the meaning of the expression t is the value of t after executing program . If does not halt, the meaning is unde ned. Such terms can be systematically eliminated; for example, P (x; t) is replaced by 9z (<>(z = t) ^ P (x; z )).
The emphasis in the early research on AL was in obtaining in nitary completeness results (as in Section 14.1), developing normal forms for programs, investigating recursive procedures with parameters, and axiomatizing certain aspects of programming using formulas of AL. As an example of the latter, the algorithmic formula (while s 6= " do s := pop(s))1 can be viewed as an axiom connected with the data structure stack. One can then investigate the consequences of such axioms within AL, regarding them as properties of the corresponding data structures. Complete in nitary deductive systems for rst-order and propositional versions are given in Mirkowska (1980, 1981a,b). The in nitary completeness results for AL are usually proved by the algebraic methods of Rasiowa and Sikorski (1963). Constable (1977), Constable and O'Donnell (1978) and Goldblatt (1982) present logics similar to AL and DL for reasoning about deterministic while programs.
16.2 Nonstandard Dynamic Logic Nonstandard Dynamic Logic (NDL) was introduced by Andreka, Nemeti, and Sain in 1979. The reader is referred to Nemeti (1981) and Andreka et al. (1982a,b) for a full exposition and further references. The main idea behind NDL is to allow nonstandard models of time by referring only to rst-order properties of time when measuring the length of a computation. The approach described in Andreka et al. (1982a,b) and further research in NDL is concentrated on proving properties of owcharts, i.e., programs built up of assignments, conditionals and go to statements. Nonstandard Dynamic Logic is well suited to comparing the reasoning power of various program veri cation methods. This is usually done by providing a modeltheoretic characterization of a given method for program veri cation. To illustrate this approach, we brie y discuss a characterization of Hoare Logic for partial correctness formulas. For the present exposition, we choose a somewhat simpler formalism which still conveys the basic idea of nonstandard time. Let be a rst-order vocabulary. For the remainder of this section we x a deterministic while program over in which the while-do construct does not
MIT Press Math7X9/2000/06/30:10:36 Page 385
Variants of DL
385
occur (such a program is called loop-free ). Let z = (z1 ; : : : ; zn ) contain all variables occurring in , and let y = (y1 ; : : : ; yn) be a vector of n distinct individual variables disjoint from z. Since is loop-free, it has only nitely many computation sequences. One can easily de ne a quanti er-free rst-order formula with all free variable among y; z that de nes the input/output relation of in all -structures A in the sense that the pair of states (u; v) is in mA () if and only if A; v[y1=u(z1 ); : : : ; yn =u(zn)] and u(x) = v(x) for all x 2 V ; fz1; : : : ; zng. Let + be the following deterministic while program: y := z; ; while z 6= y do y := z; where z 6= y stands for z1 6= y1 _ _ zn 6= yn and y := z stands for y1 := z1 ; ; yn := zn . Thus program + executes iteratively until does not change the state. The remainder of this section is devoted to giving a model-theoretic characterization, using NDL, of Hoare's system for proving partial correctness assertions involving + relative to a given rst-order theory T over . We denote provability in Hoare Logic by `HL . Due to the very speci c form of + , the Hoare system reduces to the following rule: ' ! ; [z=y] ^ ! ; [z=y] ^ ^ z = y ! ' ! [+ ] where '; ; are rst-order formulas and no variable of y occurs free in . The next series of de nitions introduces a variant of NDL. A structure I for the language consisting of a unary function symbol +1 (successor ), a constant symbol 0, and equality is called a time model if the following axioms are valid in I: x+1=y+1!x=y x + 1 6= 0 x 6= 0 ! 9y y + 1 = x x 6= x +1 + + 1}, for any n = 1; 2; : : : | + 1 {z n
Let A be a -structure and I a time model. A function : I ! An is called a
MIT Press Math7X9/2000/06/30:10:36 Page 386
386
Chapter 16
run of in A if the following in nitary formulas are valid in A:
Vi2I [y=(i); z=(i + 1)] ; for every rst-order formula '(z ) over , ^ ^ '((0)) ^ ('((i)) ! '((i + 1))) ! '((i)): i2I
i2I
The rst formula says that for i 2 I, (i) is the valuation obtained from (0) after i iterations of the program . The second formula is the induction scheme along the run . Finally, we say that a partial correctness formula ' ! [+ ] follows from T in nonstandard time semantics and write T NT ' ! [+ ] if for every model A of T , time model I, and run of in A, A '[z=(0)]
!
^
i2I
((i) = (i + 1) ! [z=(i)]):
The following theorem characterizes the power of Hoare Logic for programs of the form + over nonstandard time models. For every rst-order theory T over and rst-order formulas '; over , the following conditions are equivalent: Theorem 16.1:
(i) T `HL ' ! [+ ] ; (ii) T NT ' ! [+ ] : Other proof methods have been characterized in the same spirit. The reader is referred to Makowski and Sain (1986) for more information on this issue and further references.
16.3 Well-Foundedness As in Section 10.6 for PDL, we consider adding to DL assertions to the eect that programs can enter in nite computations. Here too, we shall be interested both in LDL and in RDL versions; i.e., those in which halt and wf , respectively, have been added inductively as new formulas for any program . As mentioned there, the connection with the more common notation repeat and loop (from which
MIT Press Math7X9/2000/06/30:10:36 Page 387
Variants of DL
387
the L and R in the names LDL and RDL derive) is by: def loop () :halt def repeat () :wf :
We now state some of the relevant results. The rst concerns the addition of halt : Theorem 16.2:
LDL DL:
Proof sketch. In view of the equivalences (10.6.2){(10.6.5) of Section 10.6, it suces, for each regular program , to nd a DL formula ' such that [ ]halt
! (' $ wf ): Given such ' , halt ( ) is equivalent to [ ]halt ^ ' .
Consider the computation tree T (s) corresponding to the possible computations of in state s. The tree is derived from by identifying common pre xes of seqs. A node of T (s) is labeled with the state reached at that point. The tree T (s), it should be noted, is obtained from the syntactic tree T by truncating subtrees that are rooted below false tests. Then s halt holds i T (s) contains no in nite path. For any program of the form , consider the tree S (s) derived from T (s) by eliminating all states internal to executions of . Thus t is an immediate descendant of t0 in S (s) i t0 is reached from s by some execution of and t is reached from t0 by an additional execution of . If s [ ]halt , then by Konig's lemma S (s) is of nite outdegree. It can be shown that in this case S (s) has an in nite path i either some state repeats along a path or there are in nitely many states t, each of which appears only within bounded depth in S (s) but for which there is a state appearing for the rst time at depth greater than that of the last appearance of t. This equivalent to \S(s) contains an in nite path" is then written in DL using the fact that a state is characterized by a nite tuple of values corresponding to the nitely many variables in . As an example of a typical portion of this de nition, the following is a DL equivalent of the statement: \There is a state in S (s) appearing for the rst time at depth greater than the greatest depth at which a given state y appears." 9z (< >x = z ^ [z0 := x; (; [z 0 =x]) ; z0 = z ?; ]:x = y):
MIT Press Math7X9/2000/06/30:10:36 Page 388
388
Chapter 16
Here y; z and z 0 are n-tuples of new variables denoting states matching the n-tuple x of variables appearing in . Assignments and tests are executed pointwise, as is the substitution [z 0 =x], which replaces all occurrences of the variables in with their z0 counterparts. The inner program runs simultaneously on x and z0 , reaches z and then continues running on x. The assertion is that y cannot be obtained in this manner. In contrast to this, we have: Theorem 16.3:
LDL < RDL:
Proof sketch. The result is proved by showing how to state in RDL that a binary function g is a well-order, where one rst constrains the domain to be countable, with the unary f acting as a successor function starting at some \zero" constant c. The result then follows from the fact that well-order is not de nable in L!1! (see Keisler (1971)).
Turning to the validity problem for these extensions, clearly they cannot be any harder to decide than that of DL, which is 11 -complete. However, the following result shows that detecting the absence of in nite computations of even simple uninterpreted programs is extremely hard. The validity problems for formulas of the form ' ! wf and formulas of the form ' ! halt , for rst-order ' and regular , are both 11 complete. If is constrained to have only rst-order tests then the ' ! wf case remains 11 -complete but the ' ! halt case is r.e.; that is, it is 01 -complete. Theorem 16.4:
Proof sketch. That the problems are in 11 is easy. The 11 -hardness results can be established by reductions from the recurring tiling problem of Proposition 2.22 similarly to the proof of Theorem 13.1. As for halt formulas with rst-order tests in 01 , compactness and Konig's lemma are used. Details appear in Harel and Peleg (1985).
Axiomatizations of LDL and RDL are discussed in Harel (1984). We just mention here that the additions to Axiom System 14.12 of Chapter 14 that are used to obtain an arithmetically complete system for RDL are the axiom [ ](' ! <>') ! (' ! :wf )
MIT Press Math7X9/2000/06/30:10:36 Page 389
Variants of DL
389
and the inference rule '(n + 1) ! []'(n); :'(0) '(n) ! wf for rst-order ' and n not occurring in .
16.4 Dynamic Algebra Dynamic algebra provides an abstract algebraic framework that relates to PDL as Boolean algebra relates to propositional logic. Dynamic algebra was introduced in Kozen (1980b) and Pratt (1979b) and studied by numerous authors; see Kozen (1979c,b, 1980a, 1981b); Pratt (1979a, 1980a, 1988); Nemeti (1980); Trnkova and Reiterman (1980). A survey of the main results appears in Kozen (1979a). A dynamic algebra is de ned to be any two-sorted algebraic structure (K; B; ), where B = (B; !; 0) is a Boolean algebra, K = (K; +; ; ; 0; 1) is a Kleene algebra (see Section 17.5), and : K B ! B is a scalar multiplication satisfying algebraic constraints corresponding to the dual forms of the PDL axioms (Axioms 5.5). For example, all dynamic algebras satisfy the equations ( ) ' 0 0' (' _ )
= = = =
( ') 0 0
'_ ;
which correspond to the PDL validities < ;
>' <>0 <0?>' <>(' _ )
$ $ $ $
<>< >'
0 0
<>'
_ <> ;
respectively. The Boolean algebra B is an abstraction of the formulas of PDL and the Kleene algebra K is an abstraction of the programs. Kleene algebra is of interest in its own right, and we defer a more detailed treatment until Section 17.5. In short, a Kleene algebra is an idempotent semiring under +; ; 0; 1 satisfying certain axioms for that say essentially that behaves like the asterate operator on sets of strings or re exive transitive closure on binary relations. There are nitary and in nitary axiomatizations of the essential
MIT Press Math7X9/2000/06/30:10:36 Page 390
390
Chapter 16
properties of * that are of quite dierent deductive strength. A Kleene algebra satisfying the stronger in nitary axiomatization is called *-continuous (see Section 17.5). The interaction of scalar multiplication with iteration can be axiomatized in a nitary or in nitary way. One can postulate
' ' _ ( (:' ^ ( ')))
(16.4.1)
corresponding to the diamond form of the PDL induction axiom (Axiom 5.5(viii)). Here ' in B i ' _ = . Alternatively, one can postulate the stronger axiom of -continuity :
' = sup(n '): n
(16.4.2)
We can think of (16.4.2) as a conjunction of in nitely many axioms n ' ', n 0, and the in nitary Horn formula
^
(
n0
n ' ) ! ' :
In the presence of the other axioms, (16.4.2) implies (16.4.1) (Kozen (1980b)), and is strictly stronger in the sense that there are dynamic algebras that are not *continuous (Pratt (1979a)). A standard Kripke frame K = (U; mK ) of PDL gives rise to a *-continuous dynamic algebra consisting of a Boolean algebra of subsets of U and a Kleene algebra of binary relations on U . Operators are interpreted as in PDL, including 0 as 0? (the empty program), 1 as 1? (the identity program), and ' as <>'. Nonstandard Kripke frames (see Section 6.3) also give rise to dynamic algebras, but not necessarily *-continuous ones. A dynamic algebra is separable if any pair of distinct Kleene elements can be distinguished by some Boolean element; that is, if 6= , then there exists ' 2 B with ' 6= '. Research directions in this area include the following.
Representation theory. It is known that any separable dynamic algebra is iso-
morphic to some possibly nonstandard Kripke frame. Under certain conditions, \possibly nonstandard" can be replaced by \standard," but not in general, even for *-continuous algebras (Kozen (1980b, 1979c, 1980a)). Algebraic methods in PDL. The small model property (Theorem 6.5) and completeness (Theorem 7.6) for PDL can be established by purely algebraic considerations (Pratt (1980a)).
MIT Press Math7X9/2000/06/30:10:36 Page 391
Variants of DL
391
Comparative study of alternative axiomatizations of . For example, it is known that separable dynamic algebras can be distinguished from standard Kripke frames by a rst-order formula, but even L!1 ! cannot distinguish the latter from -
continuous separable dynamic algebras (Kozen (1981b)). Equational theory of dynamic algebras. Many seemingly unrelated models of computation share the same equational theory, namely that of dynamic algebras (Pratt (1979b,a)). In addition, many interesting questions arise from the algebraic viewpoint, and interesting connections with topology, classical algebra, and model theory have been made (Kozen (1979b); Nemeti (1980)).
16.5 Probabilistic Programs There is wide interest recently in programs that employ probabilistic moves such as coin tossing or random number draws and whose behavior is described probabilistically (for example, is \correct" if it does what it is meant to do with probability 1). To give one well known example taken from Miller (1976) and Rabin (1980), there are fast probabilistic algorithms for checking primality of numbers but no known fast nonprobabilistic ones. Many synchronization problems including digital contract signing, guaranteeing mutual exclusion, etc. are often solved by probabilistic means. This interest has prompted research into formal and informal methods for reasoning about probabilistic programs. It should be noted that such methods are also applicable for reasoning probabilistically about ordinary programs, for example, in average-case complexity analysis of a program, where inputs are regarded as coming from some set with a probability distribution. Kozen (1981d) provided a formal semantics for probabilistic rst-order while programs with a random assignment statement x := ?. Here the term \random" is quite appropriate (contrast with Section 11.2) as the statement essentially picks an element out of some xed distribution over the domain D. This domain is assumed to be given with an appropriate set of measurable subsets. Programs are then interpreted as measurable functions on a certain measurable product space of copies of D. In Feldman and Harel (1984) a probabilistic version of rst-order Dynamic Logic, Pr(DL), was investigated on the interpreted level. Kozen's semantics is extended as described below to a semantics for formulas that are closed under Boolean connectives and quanti cation over reals and integers and that employ
MIT Press Math7X9/2000/06/30:10:36 Page 392
392
Chapter 16
terms of the form Fr(') for rst-order '. In addition, if is a while program with nondeterministic assignments and ' is a formula, then fg' is a new formula. The semantics assumes a domain D, say the reals, with a measure space consisting of an appropriate family of measurable subsets of D. The states ; ; : : : are then taken to be the positive measures on this measure space. Terms are interpreted as functions from states to real numbers, with Fr(') in being the frequency (or simply, the measure ) of ' in . Frequency is to positive measures as probability is to probability measures. The formula fg' is true in if ' is true in , the state (i.e., measure) that is the result of applying to in Kozen's semantics. Thus fg' means \after , '" and is the construct analogous to <>' of DL. For example, in Pr(DL) one can write
Fr(1) = 1 ! fgFr(1) p to mean, \ halts with probability at least p." The formula
Fr(1) = 1 !
while x > 1=2 do (x := ?; i := i + 1)] 8n ((n 1 ! Fr(i = n) = 2;n ) ^ (n < 1 ! Fr(i = n) = 0)) [i := 1; x := ?;
is valid in all structures in which the distribution of the random variable used in x := ? is a uniform distribution on the real interval [0; 1]. An axiom system for Pr(DL) was proved in Feldman and Harel (1984) to be complete relative to an extension of rst-order analysis with integer variables, and for discrete probabilities rst-order analysis with integer variables was shown to suce. Various propositional versions of probabilistic DL have also been proposed; see Reif (1980); Makowsky and Tiomkin (1980); Ramshaw (1981); Feldman (1984); Parikh and Mahoney (1983); Kozen (1985). In Ramshaw (1981), Ramshaw gave a Hoare-like logic, but observed that even the if-then-else rule was incomplete. Reif (1980) gave a logic that was not expressive enough to de ne if-then-else; moreover, the soundness of one of its proof rules was later called into question (Feldman and Harel (1984)). Makowsky and Tiomkin (1980) gave an in nitary system and proved completeness. Parikh and Mahoney (1983) studied the equational properties of probabilistic programs. Feldman (1984) gave a less expressive version of Pr(DL), though still with quanti ers, and proved decidability by reduction to the rstorder theory of R (Renegar (1991)). Kozen (1985) replaced the truth-functional propositional operators with analogous arithmetic ones, giving an arithmetical calculus closer in spirit to the semantics of Kozen (1981d). Three equivalent
MIT Press Math7X9/2000/06/30:10:36 Page 393
Variants of DL
393
semantics were given: a Markov transition semantics, a generalized operational semantics involving measure transformers, and a generalized predicate transformer semantics involving measurable function transformers. A small model property and PSPACE decision procedure over well-structured programs were given. A deductive calculus was proposed and its use demonstrated by calculating the expected running time of a random walk. In a dierent direction, Lehmann and Shelah (1982) extend propositional temporal logic (Section 17.2) with an operator C for \certainly" where C' means essentially, \' is true with probability 1." Actual numerical probabilities, like p or 2;n in the examples above, are not expressible in this language. Nevertheless, the system can express many properties of interest, especially for nite state protocols that employ probabilistic choice, such as probabilistic solutions to such synchronization problems as mutual exclusion. In many such cases the probabilistic behavior of the program can be described without resorting to numerical values and is independent of the particular distribution used for the random choices. For example, one can write
at L1 ! (:C : eat L2 ^ :C : eat L3) meaning \if execution is at label L1 , then it is possible (i.e., true with nonzero probability) to be at L2 in the next step, and similarly for L3 ." Three variants of the system, depending upon whether positive probabilities are bounded from below or not, and whether or not the number of possibilities is nite, are shown in Lehmann and Shelah (1982) to be decidable and complete with respect to nite eective axiomatizations that extend those of classical modal or temporal logic. Probabilistic processes and model checking have recently become a popular topic of research; see Morgan et al. (1999); Segala and Lynch (1994); Hansson and Jonsson (1994); Jou and Smolka (1990); Pnueli and Zuck (1986, 1993); Baier and Kwiatkowska (1998); Huth and Kwiatkowska (1997); Blute et al. (1997). The relationship between all these formal approaches remains an interesting topic for further work.
16.6 Concurrency and Communication As in Section 10.7 for PDL, we can add to DL the concurrency operator for programs, so that ^ is a program, inductively, for any and . As in concurrent PDL, the meaning of a program is then a relation between states and sets of states. It is not known whether the resulting logic, concurrent DL, is strictly more
MIT Press Math7X9/2000/06/30:10:36 Page 394
394
Chapter 16
expressive than DL, but this is known to be true if both logics are restricted to allow only quanti er-free rst-order tests in the programs. Also, the four axiom systems of Chapter 14 can be proved complete with the appropriate addition of the valid formulas of the concurrent versions of PDL.
16.7 Bibliographical Notes Algorithmic logic was introduced by Salwicki (1970). Mirkowska (1980, 1981a,b) extended AL to allow nondeterministic while programs and studied the operators r and . Complete in nitary deductive systems for propositional and rst-order versions were given by Mirkowska (1980, 1981a,b) using the algebraic methods of Rasiowa and Sikorski (1963). Surveys of early work in AL can be found in Banachowski et al. (1977); Salwicki (1977). Constable (1977), Constable and O'Donnell (1978) and Goldblatt (1982) presented logics similar to AL and DL for reasoning about deterministic while programs. Nonstandard Dynamic Logic was introduced by Nemeti (1981) and Andreka et al. (1982a,b). Theorem 16.1 is due to Csirmaz (1985). See Makowski and Sain (1986) for more information and further references on NDL. Nonstandard semantics has also been studied at the propositional level; see Section 6.4. The halt construct (actually its complement, loop) was introduced in Harel and Pratt (1978), and the wf construct (actually its complement, repeat) was investigated for PDL in Streett (1981, 1982). Theorem 16.2 is from Meyer and Winklmann (1982), Theorem 16.3 is from Harel and Peleg (1985), Theorem 16.4 is from Harel (1984), and the axiomatizations of LDL and PDL are discussed in Harel (1979, 1984). Dynamic algebra was introduced in Kozen (1980b) and Pratt (1979b) and studied by numerous authors; see Kozen (1979c,b, 1980a, 1981b); Pratt (1979a, 1980a, 1988); Nemeti (1980); Trnkova and Reiterman (1980). A survey of the main results appears in Kozen (1979a). The PhD thesis of Ramshaw (1981) contains an engaging introduction to the subject of probabilistic semantics and veri cation. Kozen (1981d) provided a formal semantics for probabilistic programs. The logic Pr(DL) was presented in Feldman and Harel (1984), along with a deductive system that is complete for Kozen's semantics relative to an extension of rst-order analysis. Various propositional versions of probabilistic DL have been proposed in Reif (1980); Makowsky and Tiomkin (1980); Feldman (1984); Parikh and Mahoney (1983); Kozen (1985). The temporal approach to probabilistic veri cation has been studied
MIT Press Math7X9/2000/06/30:10:36 Page 395
Variants of DL
395
in Lehmann and Shelah (1982); Hart et al. (1982); Courcoubetis and Yannakakis (1988); Vardi (1985a). Interest in the subject of probabilistic veri cation has undergone a recent revival; see Morgan et al. (1999); Segala and Lynch (1994); Hansson and Jonsson (1994); Jou and Smolka (1990); Baier and Kwiatkowska (1998); Huth and Kwiatkowska (1997); Blute et al. (1997). Concurrent DL is de ned in Peleg (1987b), in which the results mentioned in Section 16.6 are proved. Additional versions of this logic, which employ various mechanisms for communication among the concurrent parts of a program, are also considered in Peleg (1987c,a).
MIT Press Math7X9/2000/06/30:10:36 P age 396
MIT Press Math7X9/2000/06/30:10:36 Page 397
17 Other Approaches
In this chapter we describe some topics that are the subject of extensive past and present research and which are all closely related to Dynamic Logic. Our descriptions here are very brief and sketchy and are designed to provide the reader with only a most super cial idea of the essence of the topic, together with one or two central or expository references where details and further references can be found.
17.1 Logic of Eective De nitions The Logic of Eective De nitions (LED), introduced by Tiuryn (1981a), was intended to study notions of computability over abtract models and to provide a universal framework for the study of logics of programs over such models. It consists of rst-order logic augmented with new atomic formulas of the form = , where and are eective de nitional schemes (the latter notion is due to Friedman (1971)):
if '1 then t1 else if '2 then t2 else if '3 then t3 else if : : : where the 'i are quanti er-free formulas and ti are terms over a bounded set of variables, and the function i 7! ('i ; ti ) is recursive. The formula = is de ned to be true in a state if both and terminate and yield the same value, or neither terminates. Model theory and in nitary completeness of LED are treated in Tiuryn (1981a). Eective de nitional schemes in the de nition of LED can be replaced by any programming language K , giving rise to various logical formalisms. The following result, which relates LED to other logics discussed here, is proved in Meyer and Tiuryn (1981, 1984). Theorem 17.1:
LED DL(r.e.):
For every signature L,
MIT Press Math7X9/2000/06/30:10:36 Page 398
398
Chapter 17
17.2 Temporal Logic Temporal Logic (TL) is an alternative application of modal logic to program speci cation and veri cation. It was rst proposed as a useful tool in program veri cation by Pnueli (1977) and has since been developed by many authors in various forms. This topic is surveyed in depth in Emerson (1990) and Gabbay et al. (1994). TL diers from DL chie y in that it is endogenous ; that is, programs are not explicit in the language. Every application has a single program associated with it, and the language may contain program-speci c statements such as at L, meaning \execution is currently at location L in the program." There are two competing semantics, giving rise to two dierent theories called linear-time and branchingtime TL. In the former, a model is a linear sequence of program states representing an execution sequence of a deterministic program or a possible execution sequence of a nondeterministic or concurrent program. In the latter, a model is a tree of program states representing the space of all possible traces of a nondeterministic or concurrent program. Depending on the application and the semantics, dierent syntactic constructs can be chosen. The relative advantages of linear and branching time semantics are discussed in Lamport (1980); Emerson and Halpern (1986); Emerson and Lei (1987); Vardi (1998a). Modal constructs used in TL include 2' \' holds in all future states" 3' \' holds in some future state" e' \' holds in the next state" for linear-time logic, as well as constructs for expressing \for all traces starting from the present state : : : " \for some trace starting from the present state : : : " for branching-time logic. Temporal logic is useful in situations where programs are not normally supposed to halt, such as operating systems, and is particularly well suited to the study of concurrency. Many classical program veri cation methods such as the intermittent assertions method are treated quite elegantly in this framework; we give an example of this below. Temporal logic has been most successful in providing tools for proving properties of concurrent nite state protocols, such as solutions to the dining philosophers and mutual exclusion problems, which are popular abstract versions of synchronization and resource management problems in distributed systems.
MIT Press Math7X9/2000/06/30:10:36 Page 399
Other Approaches
399
The Inductive Assertions Method In this section we give an example to illustrate the inductive assertions method. We will later give a more modern treatment using TL. For purposes of illustration, we use a programming language in which programs consist of a sequence of labeled statements. Statements may include simple assignments, conditional and unconditional go to statements, and print statements. For example, the following program computes n!. Example 17.2:
L0 L1 L2 L3 L4 L5
: : : : : :
x := 1 y := 1 y := y + 1 x := x y if y 6= n then go to L2 print x
In this program, the variable n can be considered free; it is part of the input. Note that the program does not halt if n = 1. Suppose we wish to show that whenever the program halts, x will contain the value n!. Traditionally one establishes an invariant , which is a statement ' with the properties (i) ' is true at the beginning, (ii) ' is preserved throughout execution, and (iii) ' implies the output condition. In our case, the output condition is x = n!, and the appropriate invariant ' is
at L1 ! x = 1 ^ at L2 ! x = y! ^ at L3 ! x = (y ; 1)! (17.2.1) ^ at L4 ! x = y! ^ at L5 ! x = y! ^ y = n where at Li means the processor is about to execute statement Li . Then (i) holds, because at the beginning of the program, at L0 is true, therefore all ve conjuncts are vacuously true. To show that (ii) holds, suppose we are at any point in the
MIT Press Math7X9/2000/06/30:10:36 Page 400
400
Chapter 17
program, say L3 , and ' holds. Then x = (y ; 1)!, since at L3 ! x = (y ; 1)! is a conjunct of '. In the next step, we will be at L4 , and x = y! will hold, since we will have just executed the statement L3 : x := x y. Therefore at L4 ! x = y! will hold, and since at L4 holds, all the other conjuncts will be vacuously true, so ' will hold. In this way we verify, for each possible location in the program, that ' is preserved after execution of one instruction. Finally, when we are about to execute L5 , ' ensures that x contains the desired result n!.
The Temporal Approach To recast this development in the framework of Temporal Logic, note that we are arguing that a certain formula ' is preserved throughout time. If we de ne a state of the computation to be a pair (Li ; u) where Li is the label of a statement and u is a valuation of the program variables, then we can consider the trace
= s0 s1 s2 of states that the program goes through during execution. Each state si contains all the information needed to determine whether ' is true at si . We write si ' if the statement ' holds in the state si . There is also a binary relation Next that tells which states can immediately follow a state. The relation Next depends on the program. For example, in the program of Example 17.2, ((L2 ; x = 6; y = 14); (L3 ; x = 6; y = 15)) 2 Next: In the sequence above, s0 is the start state (L0 ; x = 0; y = 0) and si+1 is the unique state such that (si ; si+1 ) 2 Next. In ordinary deterministic programs, each state has at most one Next-successor, but in concurrent or nondeterministic programs, there may be many possible Next-successors. De ne def s e' () for all states t such that (s; t) 2 Next, t ' def s 2' () starting with s, all future states satisfy ' () for all t such that (s; t) 2 Next ; t ' def
where Next is the re exive transitive closure of Next
s 3' () s :2:': In other words, s e' if all Next-successors of s satisfy '. In the trace , if si+1 exists, then si e' i si+1 '. The formula e' does not imply that a
MIT Press Math7X9/2000/06/30:10:36 Page 401
Other Approaches
401
Next-successor exists; however, the dual operator : e: can be used where this is
desired:
s : e:' () there exists t such that (s; t) 2 Next and t '. In the trace , si 2' i 8j i, sj '. To say that the statement ' of (17.2.1) is an invariant means that every si satis es ' ! e'; that is, if si ' then si+1 '. This is the same as saying s0 2(' ! e'): To say that ' holds at the beginning of execution is just s0 ': The principle of induction on N allows us to conclude that ' will be true in all reachable states; that is,
s0 2': We can immediately derive the correctness of the program, since (17.2.1) implies our desired output condition. The induction principle of TL takes the form:
' ^ 2(' ! e') ! 2':
(17.2.2)
Note the similarity to the PDL induction axiom (Axiom 5.5(viii)):
' ^ [ ](' ! []') !
[ ]':
This is a classical program veri cation method known as inductive or invariant assertions. The operators 2, e, and 3 are called temporal operators because they describe how the truth of the formula ' depends on time. The inductive or invariant assertions method is really an application of the temporal principle (17.2.2). The part 2(' ! e') of the formula ' of (17.2.2) says that ' is an invariant ; that is, at all future points, if ' is true, then ' will be true after one more step of the program. This method is useful for proving invariant or safety properties . These are properties that can be expressed as 2'; that is, properties that we wish to remain true throughout the computation. Examples of such properties are:
partial correctness |see Example 17.2; mutual exclusion |no two processes are in their critical sections simultaneously;
MIT Press Math7X9/2000/06/30:10:36 Page 402
402
Chapter 17
clean execution |for example, a stack never over ows, or we never divide by 0 at
a particular division instruction; freedom from deadlock |it is never the case that all processes are simultaneously requesting resources held by another process. Another very important class of properties that one would like to reason about are eventuality or liveness properties , which say that something will eventually become true. These are expressed using the 3 operator of TL. Examples are:
total correctness |a program eventually halts and produces an output that is
correct; fairness or freedom from starvation |if a process is waiting for a resource, it will eventually obtain access to it; liveness of variables |if a variable x is assigned a value through the execution of an assignment statement x := t, then that variable is used at some future point. There are two historical methods of reasoning about eventualities. The rst is called the method of well-founded sets ; the second is called intermittent assertions . Recall from Section 1.3 that a strict partial order (A; <) is well-founded if every subset has a minimal element. This implies that there can be no in nite descending chains
a0 > a1 > a2 > in A. One way to prove that a program terminates is to nd such a well-founded set (A; <) and associate with each state s of the computation an element as 2 A such that if (s; t) 2 Next then as > at . Thus the program could not run forever through states s0 ; s1 ; s2 ; : : : , because then there would be an in nite descending chain
as0 > as1 > as2 > ; contradicting the assumption of well-foundedness. For example, in the program (17.2), if we start out with n > 1, then every time through the loop, y is incremented by 1, so progress is made toward y = n which will cause the loop to exit at L4. One can construct a well-founded order < on states that models this forward progress. However, the expression describing it would be a rather lengthy and unnatural arithmetic combination of the values of n and y and label indices Li , even for this very simple program. A more natural method is the intermittent assertions method . This establishes
MIT Press Math7X9/2000/06/30:10:36 Page 403
Other Approaches
403
eventualities of the form ! 3' by applications of rules such as
! 3; ! 3' ! 3'
(17.2.3)
among others. This method may also use well-founded relations, although the wellfounded relations one needs to construct are often simpler. For example, in the program of Example 17.2, total correctness is expressed by
at L0 ^ n > 1 ! 3(at L5 ^ x = n!):
(17.2.4)
Using (17.2.3), we can prove
at L0 ^ n > 1 ! 3(at L4 ^ y n ^ x = y!)
(17.2.5)
from the four statements
at L0 ^ n > 1 at L1 ^ n > 1 ^ x = 1 at L2 ^ n > 1 ^ y = 1 at L3 ^ n > 1 ^ x = 1 ^ y = 2
! ! ! ! !
e(at L1 ^ n > 1 ^ x = 1) e(at L2 ^ n > 1 ^ x = 1 ^ y = 1) e(at L3 ^ n > 1 ^ x = 1 ^ y = 2) e(at L4 ^ n > 1 ^ x = 2 ^ y = 2) e(at L4 ^ y n ^ x = y !):
Similarly, one can prove using (17.2.3) that for all values a,
at L4 ^ y = a ^ y < n ^ x = y! ! 3(at L4 ^ y = a + 1 ^ y n ^ x = y!) (17.2.6) by going through the loop once. This implies that every time through the loop, the value of n ; y decreases by 1. Thus we can use the well-founded relation < on the natural numbers to get
at L4 ^ y n ^ x = y! ! 3(at L4 ^ y = n ^ x = y!)
(17.2.7)
from (17.2.6), using the principle
9m (m) ^ 8m 2( (m + 1) ! 3 (m)) ! 3 (0): Finally, we observe that
at L4 ^ y = n ^ x = y! ! e(at L5 ^ x = n!); so we achieve our proof of the total correctness assertion (17.2.4) by combining (17.2.5), (17.2.6), and (17.2.7) using (17.2.3).
MIT Press Math7X9/2000/06/30:10:36 Page 404
404
Chapter 17
Expressiveness Recall def s e' () 8t (s; t) 2 Next ! t ' def s 2' () 8t (s; t) 2 Next ! t ' def s 3' () s :2:' () 9t (s; t) 2 Next ^ t ':
Here are some interesting properties that can be expressed with e, 3, and 2 over linear-time interpretations. Example 17.3:
(i) The trace consists of exactly one state: def halt ()
e0
(ii) The trace is nite, that is, the computation eventually halts: def n () 3halt
(iii) The trace is in nite: def inf () : n
(iv) The formula ' is true at in nitely many points along the trace (a formula is true at a state on a trace if the formula is satis ed by the sux of the trace beginning at that state):
inf ^ 23' (v) The formula ' becomes true for the rst time at some point, then remains true thereafter:
3' ^ 2(' ! 2') (vi) The trace has exactly one nonnull interval on which ' is true, and it is false elsewhere:
3' ^ 2((' ^ e:') ! e2:')
MIT Press Math7X9/2000/06/30:10:36 Page 405
Other Approaches
405
(vii) The formula ' is true at each multiple of 4 but false elsewhere:
' ^ 2(' ! e(:' ^ e(:' ^ e(:' ^ e'))))
The Until Operator
One useful operator that cannot be expressed is until. This is a binary operator written in in x (e.g., ' until ). It says that there exists some future point t such that t and that all points strictly between the current state and t satisfy '. The operators e, 3, and 2 can all be de ned in terms of until:
() :(0 until :') 3' () ' _ (1 until ') 2' () ' ^ :(1 until :') e'
In the de nition of e, the subexpression 0 until :' says that some future point t satis es :', but all points strictly between the current state and t satisfy 0 (false ); but this can happen only if there are no intermediate states, that is, t is the next state. Thus 0 until :' says that there exists a Next-successor satisfying :'. The de nition of 3 says that ' is true now or sometime in the future, and all intermediate points satisfy 1 (true ). It has been shown in Kamp (1968) and Gabbay et al. (1980) that the until operator is powerful enough to express anything that can be expressed in the rstorder theory of (!; <). It has also been shown in Wolper (1981, 1983) that there are very simple predicates that cannot be expressed by until; for example, \' is true at every multiple of 4." Compare Example 17.3(vii) above; here, we do not say anything about whether ' is true at points that are not multiples of 4. The until operator has been shown to be very useful in expressing noninput/output properties of programs such as: \If process p requests a resource before q does, then it will receive it before q does." Indeed, much of the research in TL has concentrated on providing useful methods for proving these and other kinds of properties (see Manna and Pnueli (1981); Gabbay et al. (1980)).
Concurrency and Nondeterminism Unlike DL, TL can be applied to programs that are not normally supposed to halt, such as operating systems, because programs are interpreted as traces instead of pairs of states. Up to now we have only considered deterministic, single-process programs, so that for each state s, if (s; t) 2 Next then t is unique. There is no
MIT Press Math7X9/2000/06/30:10:36 Page 406
406
Chapter 17
reason however not to apply TL to nondeterministic and concurrent (multiprocessor) systems, although there is a slight problem with this, which we discuss below. In the single-processor environment, a state is a pair (Li ; u), where Li is the instruction the program is about to execute, and u is a valuation of the program variables. In a multiprocessor environment, say with n processors, a state is a tuple (L1 ; : : : ; Ln ; u) where the ith process is just about to execute Li . If s and t are states, then (s; t) 2 Next if t can be obtained from s by letting just one process pi execute Li while the other processes wait. Thus each s can have up to n possible next states. In a nondeterministic program, a statement
Li : go to Lj or Lk can occur; to execute this statement, a process chooses nondeterministically to go to either Lj or Lk . Thus we can have two next states. In either of these situations, multiprocessing or nondeterminism, the computation is no longer a single trace, but many dierent traces are possible. We can assemble them all together to get a computation tree in which each node represents a state accessible from the start state. As above, an invariance property is a property of the form 2', which says that the property ' is preserved throughout time. Thus we should de ne def s 2' () t ' for every node t in the tree below s.
The problem is that the dual 3 of the operator 2 de ned in this way does not really capture what we mean by eventuality or liveness properties. We would like to be able to say that every possible trace in the computation tree has a state satisfying '. For instance, a nondeterministic program is total if there is no chance of an in nite trace out of the start state s; that is, every trace out of s satis es 3halt. The dual 3 of 2 as de ned by 3' = :2:' does not really express this. It says instead
s 3' () there is some node t in the tree below s such that t ': This is not a very useful statement. There have been several proposals to x this. One way is to introduce a new modal operator A that says, \For all traces in the tree : : : ," and then use 2, 3 in the sense of linear TL applied to the trace quanti ed by A. The dual of A is E, which says, \There exists a trace in the tree : : : ." Thus, in order to say that the computation tree starting from the current state satis es a safety or invariance
MIT Press Math7X9/2000/06/30:10:36 Page 407
Other Approaches
407
property, we would write A2';
which says, \For all traces out of the current state, satis es 2'," and to say that the tree satis es an eventuality property, we would write A3';
which says, \For all traces out of the current state, satis es 3'; that is, ' occurs somewhere along the trace ." The logic with the linear temporal operators augmented with the trace quanti ers A and E is known as CTL; see Emerson (1990); Emerson and Halpern (1986, 1985); Emerson and Lei (1987); Emerson and Sistla (1984). An alternative approach that ts in well with PDL is to bring the programs back into the language explicitly, only this time interpret programs as sets of traces instead of pairs of states. We could then write []3' []2'
which would mean, respectively, \For all traces of program , 3'" and \For all traces of , 2'," and these two statements would capture precisely our intuitive notion of eventuality and invariance. We discuss such a system, called Process Logic, below in Section 17.3.
Complexity and Deductive Completeness A useful axiomatization of linear-time TL is given by the axioms
2(' ! ) 2(' ^ ) 3' e(' _ ) e(' ^ ) ' ^ 2(' ! e') 8x '(x) 8x 2'
! $ $ $ $ ! ! !
(2' ! 2 )
2' ^ 2 ' _ e3' e' _ e e' ^ e 2' '(t) (t is free for x in ') 28x '
MIT Press Math7X9/2000/06/30:10:36 Page 408
408
and rules
'; ' !
Chapter 17
' 2'
'
8x ' :
Compare the axioms of PDL (Axioms 5.5). The propositional fragment of this deductive system is complete for linear-time propositional TL, as shown in Gabbay et al. (1980). Sistla and Clarke (1982) and Emerson and Halpern (1985) have shown that the validity problem for most versions of propositional TL is PSPACE -complete for linear structures and EXPTIME -complete for branching structures. Embedding TL in DL TL is subsumed by DL. To embed propositional TL into PDL, take an atomic program a to mean \one step of program p." In the linear model, the TL constructs e', 2', 3', and ' until are then expressed by [a]', [a ]', ', and <(a; '?) ; a> , respectively.
17.3 Process Logic Dynamic Logic and Temporal Logic embody markedly dierent approaches to reasoning about programs. This dichotomy has prompted researchers to search for an appropriate process logic that combines the best features of both. An appropriate candidate should combine the ability to reason about programs compositionally with the ability to reason directly about the intermediate states encountered during the course of a computation. Pratt (1979c), Parikh (1978b), Nishimura (1980), and Harel et al. (1982) all suggested increasingly more powerful propositional-level formalisms in which the basic idea is to interpret formulas in traces rather than in states. In particular, Harel et al. (1982) present a system called Process Logic (PL), which is essentially a union of TL and test-free regular PDL. That paper proves that the satis ability problem is decidable and gives a complete nitary axiomatization. We present here an extended version that includes tests. In order to interpret the while loop correctly, we also include an operator ! for in nite iteration. We allow only poor tests (see Section 10.2). Syntactically, we have programs ; ; : : : and propositions '; ; : : : as in PDL. We have atomic symbols of each type and compound expressions built up from the operators !, 0, ;, [, , ? (applied to Boolean combinations of atomic formulas only), !, and [ ]. In addition we have the temporal operators rst and until. The
MIT Press Math7X9/2000/06/30:10:36 Page 409
Other Approaches
409
temporal operators are available for expressing and reasoning about trace properties, but programs are constructed compositionally as in PDL. Other operators are de ned as in PDL (see Section 5.1) except for skip, which we handle specially below. Semantically, both programs and propositions are interpreted as sets of traces. We start with a Kripke frame K = (K; mK ) as in Section 5.2, where K is a set of states s; t; : : : and the function mK interprets atomic formulas p as subsets of K and atomic programs a as binary relations on K . A trace is a nite or in nite sequence of states
= s0 s1 s2 (repetitions allowed). A trace is of length n if it contains n + 1 states; thus a single state constitutes a trace of length 0. The rst state of a trace is denoted rst(), and the last state (if it exists) is denoted last(). The state last() exists i is nite. If = s0 s1 sk and = sk sk+1 are traces, then the fusion of and is the trace
= s0 s1 sk;1 sk sk+1 Note that sk is written only once. The traces and cannot be fused unless is nite and last() = rst( ). If is in nite, or if is nite but last() 6= rst( ), then does not exist. A trace is a sux of a trace if there exists a nite trace such that = . It is a proper sux if there exists such a of nonzero length. If A and B are sets of traces, we de ne
A B def = f j 2 A; 2 B g def A B = A B [ fin nite traces in Ag: It is not hard to verify that and are associative. We de ne the interpretation of the temporal operators rst. The de nition is slightly dierent from that of Section 17.2, but the concept is similar. For p an atomic proposition and a nite trace, de ne def p () last() 2 mK (p):
The right-hand side is given by the speci cation of the Kripke frame K. If is
MIT Press Math7X9/2000/06/30:10:36 Page 410
410
Chapter 17
in nite, or if is nite and last() 62 mK (p), then 2 p. We also de ne def rst ' () rst() ' def ' until () there exists a proper sux of such that , and for all proper suxes of such that is a proper sux of , '. The following trace satis es ( rst (q ^ :p)) until rst :q: q q q q q :q q q p :p :p :p :p p p :p
s s s s s s s s -
-
-
-
-
-
-
-
As in Section 17.2, if we de ne
def () def 2' () def 3' () ()
e'
:(0 until :') ' ^ :(1 until :') :2:' ' _ (1 until ');
then we get
e' () the maximal proper sux of , if it exists, satis es ', 2' () all suxes of , proper or not, satisfy ', 3' () there exists a sux of , proper or not, satisfying '. Now we wish to extend the de nition of mK to give meanings to programs. The extended meaning function mK will assign a set of traces to each program. The meaning of an atomic program a is the binary relation mK (a) as determined by the frame K, considered as a set of traces of length one. We de ne mK ( [ ) mK ( ; )
def
mK (! ) mK ('?)
def
= = = def mK ( ) = def
= =
def
mK () [ mK ( ) mK () mK ( ) mK () mK ( ) [ fin nite traces in mK ()g [ mK (n ); where mK (0 ) def = K and mK (n+1 ) def = mK (n ) n0 f0 1 j n 2 mK (); n 0g [ fin nite traces in mK ( )g mK (') \ ftraces of length 0g:
MIT Press Math7X9/2000/06/30:10:36 Page 411
Other Approaches
411
We do not de ne skip as 1? as in PDL, but rather as the relation
skip def = f(s; s) j s 2 K g: The reason for including the ! operator is to model the while loop correctly. In PDL, we had
while ' do = ('? ; ) ; :'? which was all right for binary relation semantics, since if the test ' never becomes false, there will be no output state. However, with trace semantics, such a computation would result in an in nite trace obtained by concatenating in nitely many nite traces. This is given by ! and should be included in the semantics of the while loop. Thus for PL, we de ne
while ' do def = ('? ; ) ; :'? [ ('? ; )! : We would also like in nite traces in mK () included in mK ( ; ). Intuitively, such traces would result if ran forever without terminating, thus they would also result from running ; . For the semantics of the modal operator [ ], we de ne 2 mK ([]') i either of the following two conditions holds: (i) is nite, and for all traces 2 mK () such that exists, 2 mK ('); or (ii) is in nite and 2 mK ('). Intuitively, either represents a nite computation and all extensions of obtained by running the program satisfy '; or is an in nite computation satisfying ' already. The addition of clause (ii) takes care of the possibility that does not halt. It causes the PDL axiom [ ; ]' $ [][ ]' to be satis ed.
Axiomatization Trace models satisfy (most of) the PDL axioms. As in Section 17.2, de ne def e0 halt () def n () 3halt def inf () : n;
MIT Press Math7X9/2000/06/30:10:36 Page 412
412
Chapter 17
which say that the trace is of length 0, of nite length, or of in nite length, respectively. De ne two new operators [[ ]] and << >>: def () n ! []' def <<>>' () :[[]]:' () n ^ <>': [[]]'
Then mK ([[]]') = f j for all 2 mK (), if exists, then 2 mK (')g mK (<<>>') = f j there exists 2 mK () such that exists and 2 mK (')g: The operator << >> is just < > restricted to nite traces. By de nition of [ ] and < >, the following are valid formulas of PL: []' $ ( n ! [[]]') ^ (inf ! ') $ ( n ^ [[]]') _ (inf ^ ') <>' $ ( n ! <<>>') ^ (inf ! ') $ ( n ^ <<>>') _ (inf ^ '): First we show that the modal axioms [](' ^ ) $ ([]' ^ [] ) (17.3.1) [](' ! ) ! ([]' ! [] ) (17.3.2) are satis ed. To show (17.3.1), rst observe that [[]](' ^ ) $ [[]]' ^ [[]] is valid. Then [](' ^ ) $ ( n ! [[]](' ^ )) ^ (inf ! (' ^ )) $ ( n ! ([[]]' ^ [[]] )) ^ (inf ! (' ^ )) $ ( n ! [[]]') ^ ( n ! [[]] ) ^ (inf ! ') ^ (inf ! )
$ []' ^ [] :
To show (17.3.2), by propositional reasoning, it suces to show [](' ! ) ^ []' ! [] : First observe that [[]](' ! ) ^ [[]]' ! [[]]
MIT Press Math7X9/2000/06/30:10:36 Page 413
Other Approaches
413
is valid. Then []('
! ) ^ []' ( n ! [[]](' ! )) ^ (inf ! (' ! )) ^ ( n ! [[]]') ^ (inf ! ') ( n ! ([[]]' ! [[]] )) ^ (inf ! (' ! )) ^ ( n ! [[]]') ^ (inf ! ') ( n ! ([[]]' ^ ([[]]' ! [[]] ))) ^ (inf ! (' ^ (' ! ))) ( n ! [[]] ) ^ (inf ! )
$ ! $ ! $ [] :
The argument for the axiom [
[ ]' $ []' ^ [ ]'
is similar and uses the property [[
[ ]]' $
[[]]'
^ [[ ]]':
The axiom [ ; ]' $ [][ ]' is obtained as follows. Suppose is nite. Arguing semantically, 2 mK ([[ ; ]]') i
for all in nite -traces such that exists, '; and for all nite -traces such that exists, for all -traces such that exists, '. Thus [[ ;
inf ! ') ^ [[]]( n ! [[ ]]') $ [[]]((inf ! ') ^ ( n ! [[ ]]')) $ [[]][ ]'
]]' $
[[]](
and [ ;
]' $ ( n ! [[ ; ]]') ^ (inf ! ') $ ( n ! [[]][ ]') ^ (inf ! ') $ ( n ! [[]][ ]') ^ (inf ! [ ]') $ [][ ]':
The penultimate step uses the fact that ' and [ ]' are equivalent for in nite traces.
MIT Press Math7X9/2000/06/30:10:36 Page 414
414
Chapter 17
The operator is the same as in PDL. It can be shown that the two PDL axioms
' ^ [][ ]' $ ' ^ [ ](' ! []') !
[ ]' [ ]'
hold by establishing that
[
n0
mK (n ) = mK (0 ) [ (mK ()
=
[
mK (n ))
[ nn0 0 mK ( ) [ (( mK ( )) mK ()): n0
The axiom for the test operator ? is not quite the same as in PDL. The PDL axiom [ ?]' $ ( ! ') is valid only for weak tests and nite traces. If either one of these restrictions is lifted, then the formula is no longer valid. Instead we postulate ( n ! ([ ?]' $ ( ! '))) ^ (inf ! ([ ?]' $ '))
(17.3.3)
for weak tests only. In our formulation, tests are instantaneous. One may argue that this interferes with the semantics of programs such as while 1 do '?, which rightfully should generate an in nite trace but does not. This suggests an alternative approach in which tests would be interpreted as binary relations (traces of length one). However, the latter approach is even more problematic. For one thing, it is not clear how to axiomatize [ ?]'; certainly (17.3.3) is no longer valid. Since we can assert the length of a trace, our axiomatization would be encumbered by such irrelevancies as length 17 ! [1?]length 18. Worse, Boolean algebra would no longer be readily available, at least in any simple form. For example, '? ; '? and '? would no longer be equivalent. We thus prefer the formulation we have given. Note, however, that if we restrict programs to ordinary while programs in which '? must occur in the test of a conditional or while statement, then pathelogical programs such as while 1 do '? are disallowed, and all is well. The program while 1 do skip generates an in nite trace because of the rede nition of skip. Finally, what can we say about !? One property that is certain is mK (! ) = mK () mK (! ) = mK (! ) mK ();
MIT Press Math7X9/2000/06/30:10:36 Page 415
Other Approaches
415
which leads to the axioms [! ]'
$ [! ]' $ [! ]':
One might expect the formula [! ]inf to be valid, but this is not the case. For example, mK (1?! ) contains all and only traces of length 0. However, if any trace 2 mK (! ) has a state satisfying '|that is, if has a sux satisfying rst '|then some pre x of in mK() also has this property. Thus [ ]3 rst ' ! [! ]3 rst ' (17.3.4)
is valid. We cannot replace rst ' by an arbitrary property ; for instance, (17.3.4) does not necessarily hold for = inf . As mentioned, the version of PL of Harel et al. (1982) is decidable (but, it seems, in nonelementary time only) and complete. It has also been shown that if we restrict the semantics to include only nite traces (not a necessary restriction for obtaining the results above), then PL is no more expressive than PDL. Translations of PL structures into PDL structures have also been investigated, making possible an elementary time decision procedure for deterministic PL; see Halpern (1982, 1983). An extension of PL in which rst and until are replaced by regular operators on formulas has been shown to be decidable but nonelementary in Harel et al. (1982). This logic perhaps comes closer to the desired objective of a powerful decidable logic of traces with natural syntactic operators that is closed under attachment of regular programs to formulas. First-order PL has not been properly investigated yet, perhaps because the \right" logic has not yet been agreed upon. It is also not quite clear yet whether the PL approach has pragmatic advantages over TL in reasoning about concurrent programs. The exact relationship of PL with the second order theory of n successors (see Rabin (1969)), to which the validity problem is reduced for obtaining decidability, seems also worthy of further study.
17.4 The -Calculus The -calculus was suggested as a formalism for reasoning about programs in Scott and de Bakker (1969) and was further developed in Hitchcock and Park (1972), Park (1976), and de Bakker (1980). The heart of the approach is , the least xpoint operator, which captures the notions of iteration and recursion. The calculus was originally de ned as a rst-
MIT Press Math7X9/2000/06/30:10:36 Page 416
416
Chapter 17
order-level formalism, but propositional versions have become popular. The operator binds relation variables. If '(X ) is a logical expression with a free relation variable X , then the expression X:'(X )represents the least X such that '(X ) = X , if such an X exists. For example, the re exive transitive closure R of a binary relation R is the least binary relation containing R and closed under re exivity and transitivity; this would be expressed in the rst-order -calculus as
R def = X (x; y):(x = y _ 9z (R(x; z ) ^ X (z; y))):
(17.4.1)
This should be read as, \the least binary relation X (x; y) such that either x = y or x is related by R to some z such that z and y are already related by X ." This captures the usual xpoint formulation of re exive transitive closure (Section 1.7). The formula (17.4.1) can be regarded either as a recursive program computing R or as an inductively de ned assertion that is true of a pair (x; y) i that pair is in the re exive transitive closure of R. The existence of a least xpoint is not guaranteed except under certain restrictions. Indeed, the formula :X has no xpoint, therefore X::X does not exist. Typically, one restricts the application of the binding operator X to formulas that are positive or syntactically monotone in X ; that is, those formulas in which every free occurrence of X occurs in the scope of an even number of negations. This implies that the relation operator X 7! '(X ) is (semantically) monotone in the sense of Section 1.7, which by the Knaster{Tarski theorem (Theorem 1.12) ensures the existence of a least xpoint. The rst-order -calculus can de ne all sets de nable by rst-order induction and more. In particular, it can capture the input/output relation of any program built from any of the DL programming constructs we have discussed. Since the rst-order -calculus also admits rst-order quanti cation, it is easily seen to be as powerful as DL. It was shown by Park (1976) that niteness is not de nable in the rstorder -calculus with the monotonicity restriction, but well-foundedness is. Thus this version of the -calculus is independent of L!1ck! (and hence of DL(r.e.)) in expressive power. Well-foundedness of a binary relation R can be written
8x (X (x):8y (R(y; x) ! X (y))): A more severe syntactic restriction on the binding operator X is to allow its application only to formulas that are syntactically continuous in X ; that is, those formulas in which X does not occur free in the scope of any negation or any universal quanti er. It can be shown that this syntactic restriction implies semantic
MIT Press Math7X9/2000/06/30:10:36 Page 417
Other Approaches
417
continuity (Section 1.7), so the least xpoint is the union of ?, '(?), '('(?)); : : : . As shown in Park (1976), this version is strictly weaker than L!1ck ! . In Pratt (1981a) and Kozen (1982, 1983), propositional versions of the -calculus were introduced. The latter version consists of propositional modal logic with a least xpoint operator. It is the most powerful logic of its type, subsuming all known variants of PDL, game logic of Parikh (1983), various forms of temporal logic (see Section 17.2), and other seemingly stronger forms of the -calculus (Vardi and Wolper (1986c)). In the following presentation we focus on this version, since it has gained fairly widespread acceptance; see Kozen (1984); Kozen and Parikh (1983); Streett (1985a); Streett and Emerson (1984); Vardi and Wolper (1986c); Walukiewicz (1993, 1995, 2000); Stirling (1992); Mader (1997); Kaivola (1997). The language of the propositional -calculus, also called the modal -calculus , is syntactically simpler than PDL. It consists of the usual propositional constructs ! and 0, atomic modalities [a], and the least xpoint operator . A greatest xpoint operator dual to can be de ned: def X:'(X ) () :X::'(:X ):
Variables are monadic, and the operator may be applied only to syntactically monotone formulas. As discussed above, this ensures monotonicity of the corresponding set operator. The language is interpreted over Kripke frames in which atomic propositions are interpreted as sets of states and atomic programs are interpreted as binary relations on states. The propositional -calculus subsumes PDL. For example, the PDL formula ' for atomic a can be written X:(' _ X ). The formula X:[a]X , which expresses the existence of a forced win for the rst player in a two-player game, and the formula X:[a]X , which expresses well-foundedness and is equivalent to wf a (see Section 10.6), are both inexpressible in PDL, as shown in Streett (1981); Kozen (1981c). Niwinski (1984) has shown that even with the addition of the halt construct, PDL is strictly less expressive than the -calculus. The propositional -calculus satis es a nite model theorem, as rst shown in Kozen (1988). Decidability results were obtained in Kozen and Parikh (1983); Vardi and Stockmeyer (1985); Vardi (1985b), culminating in a deterministic exponentialtime algorithm of Emerson and Jutla (1988) based on an automata-theoretic lemma of Safra (1988). Since the -calculus subsumes PDL, it is EXPTIME -complete. In Kozen (1982, 1983), an axiomatization of the propositional -calculus was proposed and conjectured to be complete. The axiomatization consists of the axioms
MIT Press Math7X9/2000/06/30:10:36 Page 418
418
Chapter 17
and rules of propositional modal logic, plus the axiom '[X=X:'] ! X:' and rule '[X= ] !
X:' ! for . Completeness of this deductive system for a syntactically restricted subset of
formulas was shown in Kozen (1982, 1983). Completeness for the full language was proved by Walukiewicz (1995, 2000). This was quickly followed by simpler alternative proofs by Ambler et al. (1995); Bonsangue and Kwiatkowska (1995); Hartonas (1998). Brad eld (1996) showed that the alternating = hierarchy (least/greatest xpoints) is strict. An interesting open question is the complexity of model checking : does a given formula of the propositional -calculus hold in a given state of a given Kripke frame? Although some progress has been made (see Bhat and Cleaveland (1996); Cleaveland (1996); Emerson and Lei (1986); Sokolsky and Smolka (1994); Stirling and Walker (1989)), it is still unknown whether this problem has a polynomial-time algorithm. The propositional -calculus has become a popular system for the speci cation and veri cation of properties of transition systems, where it has had some practical impact (Steen et al. (1996)). Several recent papers on model checking work in this context; see Bhat and Cleaveland (1996); Cleaveland (1996); Emerson and Lei (1986); Sokolsky and Smolka (1994); Stirling and Walker (1989). A comprehensive introduction can be found in Stirling (1992).
17.5 Kleene Algebra Kleene algebra (KA) is the algebra of regular expressions. It is named for S. C. Kleene (1909{1994), who among his many other achievements invented regular expressions and proved their equivalence to nite automata in Kleene (1956). Kleene algebra has appeared in various guises and under many names in relational algebra (Ng (1984); Ng and Tarski (1977)), semantics and logics of programs (Kozen (1981b); Pratt (1988)), automata and formal language theory (Kuich (1987); Kuich and Salomaa (1986)), and the design and analysis of algorithms (Aho et al. (1975); Tarjan (1981); Mehlhorn (1984); Iwano and Steiglitz (1990); Kozen (1991b)). As discussed in Section 16.4, Kleene algebra plays a prominent role in dynamic algebra as an algebraic model of program behavior. Beginning with the monograph of Conway (1971), many authors have con-
MIT Press Math7X9/2000/06/30:10:36 Page 419
Other Approaches
419
tributed over the years to the development of the algebraic theory; see Backhouse (1975); Krob (1991); Kleene (1956); Kuich and Salomaa (1986); Sakarovitch (1987); Kozen (1990); Bloom and E sik (1992); Hopkins and Kozen (1999). See also Kozen (1996) for further references. A Kleene algebra is an algebraic structure (K; +; ; ; 0; 1) satisfying the axioms + ( + ) = ( + ) + + = + +0 = + = ( ) = ( ) 1 = 1 = ( + ) = + ( + ) = + 0 = 0 = 0 1 + = 1 + = (17.5.1) + ! (17.5.2) + ! (17.5.3) where refers to the natural partial order on K : def () + = :
In short, a KA is an idempotent semiring under +; ; 0; 1 satisfying (17.5.1){ (17.5.3) for . The axioms (17.5.1){(17.5.3) say essentially that behaves like the asterate operator on sets of strings or re exive transitive closure on binary relations. This particular axiomatization is from Kozen (1991a, 1994a), but there are other competing ones. The axioms (17.5.2) and (17.5.3) correspond to the re exive transitive closure rule (RTC) of PDL (Section 5.6). Instead, we might postulate the equivalent axioms ! (17.5.4)
! ; (17.5.5) which correspond to the loop invariance rule (LI). The induction axiom (IND) is inexpressible in KA, since there is no negation. A Kleene algebra is -continuous if it satis es the in nitary condition = sup n (17.5.6) n0
MIT Press Math7X9/2000/06/30:10:36 Page 420
420
Chapter 17
where 0 def = 1 n+1 def = n and where the supremum is with respect to the natural order . We can think of (17.5.6) as a conjunction of the in nitely many axioms n , n 0, and the in nitary Horn formula ^ ( n ) ! : n0
In the presence of the other axioms, the *-continuity condition (17.5.6) implies (17.5.2){(17.5.5) and is strictly stronger in the sense that there exist Kleene algebras that are not *-continuous (Kozen (1990)). The fundamental motivating example of a Kleene algebra is the family of regular sets of strings over a nite alphabet, but other classes of structures share the same equational theory, notably the binary relations on a set. In fact it is the latter interpretation that makes Kleene algebra a suitable choice for modeling programs in dynamic algebras. Other more unusual interpretations are the min; + algebra used in shortest path algorithms (see Aho et al. (1975); Tarjan (1981); Mehlhorn (1984); Kozen (1991b)) and KAs of convex polyhedra used in computational geometry as described in Iwano and Steiglitz (1990). Axiomatization of the equational theory of the regular sets is a central question going back to the original paper of Kleene (1956). A completeness theorem for relational algebras was given in an extended language by Ng (1984); Ng and Tarski (1977). Axiomatization is a central focus of the monograph of Conway (1971), but the bulk of his treatment is in nitary. Redko (1964) proved that there is no nite equational axiomatization. Schematic equational axiomatizations for the algebra of regular sets, necessarily representing in nitely many equations, have been given by Krob (1991) and Bloom and E sik (1993). Salomaa (1966) gave two nitary complete axiomatizations that are sound for the regular sets but not sound in general over other standard interpretations, including relational interpretations. The axiomatization given above is a nitary universal Horn axiomatization that is sound and complete for the equational theory of standard relational and languagetheoretic models, including the regular sets (Kozen (1991a, 1994a)). Other work on completeness appears in Krob (1991); Boa (1990, 1995); Archangelsky (1992). The literature contains a bewildering array of inequivalent de nitions of Kleene algebras and related algebraic structures; see Conway (1971); Pratt (1988, 1990); Kozen (1981b, 1991a); Aho et al. (1975); Mehlhorn (1984); Kuich (1987); Kozen (1994b). As demonstrated in Kozen (1990), many of these are strongly related.
MIT Press Math7X9/2000/06/30:10:36 Page 421
Other Approaches
421
One important property shared by most of them is closure under the formation of n n matrices. This was proved for the axiomatization of Section 16.4 in Kozen (1991a, 1994a), but the idea essentially goes back to Kleene (1956); Conway (1971); Backhouse (1975). This result gives rise to an algebraic treatment of nite automata in which the automata are represented by their transition matrices. The equational theory of Kleene algebra is PSPACE -complete (Stockmeyer and Meyer (1973)); thus it is apparently less complex than PDL, which is EXPTIME complete (Theorem 8.5), although the strict separation of the two complexity classes is still open.
Kleene Algebra with Tests
From a practical standpoint, many simple program manipulations such as loop unwinding and basic safety analysis do not require the full power of PDL, but can be carried out in a purely equational subsystem using the axioms of Kleene algebra. However, tests are an essential ingredient, since they are needed to model conventional programming constructs such as conditionals and while loops and to handle assertions. This motivates the de nition of the following variant of KA introduced in Kozen (1996, 1997b). A Kleene algebra with tests (KAT) is a Kleene algebra with an embedded Boolean subalgebra. Formally, it is a two-sorted algebra (K; B; +; ; ; ; 0; 1) such that (K; +; ; ; 0; 1) is a Kleene algebra (B; +; ; ; 0; 1) is a Boolean algebra B K. The unary negation operator is de ned only on B . Elements of B are called tests and are written '; ; : : : . Elements of K (including elements of B ) are written ; ; : : : . In PDL, a test would be written '?, but in KAT we dispense with the symbol ?. This deceptively concise de nition actually carries a lot of information. The operators +; ; 0; 1 each play two roles: applied to arbitrary elements of K , they refer to nondeterministic choice, composition, fail, and skip, respectively; and applied to tests, they take on the additional meaning of Boolean disjunction, conjunction, falsity, and truth, respectively. These two usages do not con ict|for example, sequential testing of two tests is the same as testing their conjunction|and their coexistence admits considerable economy of expression.
MIT Press Math7X9/2000/06/30:10:36 Page 422
422
Chapter 17
For applications in program veri cation, the standard interpretation would be a Kleene algebra of binary relations on a set and the Boolean algebra of subsets of the identity relation. One could also consider trace models, in which the Kleene elements are sets of traces (sequences of states) and the Boolean elements are sets of states (traces of length 0). As with KA, one can form the algebra n n matrices over a KAT (K; B ); the Boolean elements of this structure are the diagonal matrices over B . KAT can express conventional imperative programming constructs such as conditionals and while loops as in PDL. It can perform elementary program manipulation such as loop unwinding, constant propagation, and basic safety analysis in a purely equational manner. The applicability of KAT and related equational systems in practical program veri cation has been explored in Cohen (1994a,b,c); Kozen (1996); Kozen and Patron (2000). There is a language-theoretic model that plays the same role in KAT that the regular sets play in KA, namely the algebra of regular sets of guarded strings, and a corresponding completeness result was obtained by Kozen and Smith (1996). Moreover, KAT is complete for the equational theory of relational models, as shown in Kozen and Smith (1996). Although less expressive than PDL, KAT is also apparently less dicult to decide: it is PSPACE -complete, the same as KA, as shown in Cohen et al. (1996). In Kozen (1999a), it is shown that KAT subsumes propositional Hoare Logic in the following sense. The partial correctness assertion f'g f g is encoded in KAT as the equation ' = 0, or equivalently ' = ' . If a rule
f'1 g 1 f 1 g; : : : ; f'n g n f n g f'g f g
is derivable in propositional Hoare Logic, then its translation, the universal Horn formula '1 1 1 = 0 ^ ^ 'n n n = 0 ! ' = 0; is a theorem of KAT. For example, the while rule of Section 4.4 becomes '' = 0 ! '() ' = 0: More generally, all relationally valid Horn formulas of the form
1 = 0 ^ ^ n = 0 ! = are theorems of KAT (Kozen (1999a)). Horn formulas are important from a practical standpoint. For example, com-
MIT Press Math7X9/2000/06/30:10:36 Page 423
Other Approaches
423
mutativity conditions are used to model the idea that the execution of certain instructions does not aect the result of certain tests. In light of this, the complexity of the universal Horn theory of KA and KAT are of interest. There are both positive and negative results. It is shown in Kozen (1997c) that for a Horn formula ! ' over *-continuous Kleene algebras, if contains only commutativity conditions = , the universal Horn theory is 01 -complete; if contains only monoid equations, the problem is 02 -complete; for arbitrary nite sets of equations , the problem is 11 -complete. On the other hand, commutativity assumptions of the form ' = ', where ' is a test, and assumptions of the form = 0 can be eliminated without loss of eciency, as shown in Cohen (1994a); Kozen and Smith (1996). Note that assumptions of this form are all we need to encode Hoare Logic as described above. In typed Kleene algebra introduced in Kozen (1998, 1999b), elements have types s ! t. This allows Kleene algebras of nonsquare matrices, among other applications. It is shown in Kozen (1999b) that Hoare Logic is subsumed by the type calculus of typed KA augmented with a typecast or coercion rule for tests. Thus Hoare-style reasoning with partial correctness assertions reduces to typechecking in a relatively simple type system.
MIT Press Math7X9/2000/06/30:10:36 P age 424
MIT Press Math7X9/2000/06/30:10:36 Page 425
References
Abrahamson, K. (1980). Decidability and expressiveness of logics of processes. Ph. D. thesis, Univ. of Washington. Adian, S. I. (1979). The Burnside Problem and Identities in Groups. Springer-Verlag. Aho, A. V., J. E. Hopcroft, and J. D. Ullman (1975). The Design and Analysis of Computer Algorithms. Reading, Mass.: Addison-Wesley. Ambler, S., M. Kwiatkowska, and N. Measor (1995, November). Duality and the completeness of the modal -calculus. Theor. Comput. Sci. 151 (1), 3{27. Andreka, H., I. Nemeti, and I. Sain (1982a). A complete logic for reasoning about programs via nonstandard model theory, part I. Theor. Comput. Sci. 17, 193{212. Andreka, H., I. Nemeti, and I. Sain (1982b). A complete logic for reasoning about programs via nonstandard model theory, part II. Theor. Comput. Sci. 17, 259{278. Apt, K. R. (1981). Ten years of Hoare's logic: a survey|part I. ACM Trans. Programming Languages and Systems 3, 431{483. Apt, K. R. and E.-R. Olderog (1991). Veri cation of Sequential and Concurrent Programs. Springer-Verlag. Apt, K. R. and G. Plotkin (1986). Countable nondeterminism and random assignment. J. Assoc. Comput. Mach. 33, 724{767. Archangelsky, K. V. (1992). A new nite complete solvable quasiequational calculus for algebra of regular languages. Manuscript, Kiev State University. Arnold, A. (1997a). An initial semantics for the -calculus on trees and Rabin's complementation lemma. Technical report, University of Bordeaux. Arnold, A. (1997b). The -calculus on trees and Rabin's complementation theorem. Technical report, University of Bordeaux. Backhouse, R. C. (1975). Closure Algorithms and the Star-Height Problem of Regular Languages. Ph. D. thesis, Imperial College, London, U.K. Backhouse, R. C. (1986). Program Construction and Veri cation. Prentice-Hall. Baier, C. and M. Kwiatkowska (1998, April). On the veri cation of qualitative properties of probabilistic processes under fairness constraints. Information Processing Letters 66 (2), 71{79. Banachowski, L., A. Kreczmar, G. Mirkowska, H. Rasiowa, and A. Salwicki (1977). An introduction to algorithmic logic: metamathematical investigations in the theory of programs. In Mazurkiewitz and Pawlak (Eds.), Math. Found. Comput. Sci., pp. 7{99. Banach Center, Warsaw. Barwise, J. (1975). Admissible Sets and Structures. North-Holland. Bell, J. S. and A. B. Slomson (1971). Models and Ultraproducts. North Holland. Ben-Ari, M., J. Y. Halpern, and A. Pnueli (1982). Deterministic propositional dynamic logic: nite models, complexity and completeness. J. Comput. Syst. Sci. 25, 402{417. Berman, F. (1978). Expressiveness hierarchy for PDL with rich tests. Technical Report 78-11-01, Comput. Sci. Dept., Univ. of Washington. Berman, F. (1979). A completeness technique for D-axiomatizable semantics. In Proc. 11th Symp. Theory of Comput., pp. 160{166. ACM. Berman, F. (1982). Semantics of looping programs in propositional dynamic logic. Math. Syst. Theory 15, 285{294. Berman, F. and M. Paterson (1981). Propositional dynamic logic is weaker without tests. Theor. Comput. Sci. 16, 321{328. Berman, P., J. Y. Halpern, and J. Tiuryn (1982). On the power of nondeterminism in dynamic logic. In Nielsen and Schmidt (Eds.), Proc 9th Colloq. Automata Lang. Prog., Volume 140 of Lect. Notes in Comput. Sci., pp. 48{60. Springer-Verlag. Bhat, G. and R. Cleaveland (1996, March). Ecient local model checking for fragments of the modal -calculus. In T. Margaria and B. Steen (Eds.), Proc. Second Int. Workshop Tools and
MIT Press Math7X9/2000/06/30:10:36 Page 426
426
References
Algorithms for the Construction and Analysis of Systems (TACAS'96), Volume 1055 of Lect. Notes in Comput. Sci., pp. 107{112. Springer-Verlag. Birkho, G. (1935). On the structure of abstract algebras. Proc. Cambridge Phil. Soc. 31, 433{454. Birkho, G. (1973). Lattice Theory (third ed.). American Mathematical Society. Bloom, S. L. and Z. E sik (1992). Program correctness and matricial iteration theories. In Proc. Mathematical Foundations of Programming Semantics, 7th Int. Conf., Volume 598 of Lecture Notes in Computer Science, pp. 457{476. Springer-Verlag. Bloom, S. L. and Z. E sik (1993). Equational axioms for regular sets. Math. Struct. Comput. Sci. 3, 1{24. Blute, R., J. Desharnais, A. Edelat, and P. Panangaden (1997). Bisimulation for labeled Markov processes. In Proc. 12th Symp. Logic in Comput. Sci., pp. 149{158. IEEE. Boa, M. (1990). Une remarque sur les systemes complets d'identites rationnelles. Informatique Theoretique et Applications/Theoretical Informatics and Applications 24 (4), 419{423. Boa, M. (1995). Une condition impliquant toutes les identites rationnelles. Informatique Theoretique et Applications/Theoretical Informatics and Applications 29 (6), 515{518. Bonsangue, M. and M. Kwiatkowska (1995, August). Re-interpreting the modal -calculus. In A. Ponse, M. van Rijke, and Y. Venema (Eds.), Modal Logic and Process Algebra, pp. 65{83. CSLI Lecture Notes. Boole, G. (1847). The Mathematical Analysis of Logic. MacMillan, Barclay and MacMillan, Cambridge. Borger, E. (1984). Spectralproblem and completeness of logical decision problems. In G. H. E. Borger and D. Rodding (Eds.), Logic and Machines: Decision Problems and Complexity, Proccedings, Volume 171 of Lect. Notes in Comput. Sci., pp. 333{356. Springer-Verlag. Brad eld, J. C. (1996). The modal -calculus alternation hierarchy is strict. In U. Montanari and V. Sassone (Eds.), Proc. CONCUR'96, Volume 1119 of Lect. Notes in Comput. Sci., pp. 233{246. Springer. Burstall, R. M. (1974). Program proving as hand simulation with a little induction. Information Processing , 308{312. Chandra, A., D. Kozen, and L. Stockmeyer (1981). Alternation. J. Assoc. Comput. Mach. 28 (1), 114{133. Chang, C. C. and H. J. Keisler (1973). Model Theory. North-Holland. Chellas, B. F. (1980). Modal Logic: An Introduction. Cambridge University Press. Clarke, E. M. (1979). Programming language constructs for which it is impossible to obtain good Hoare axiom systems. J. Assoc. Comput. Mach. 26, 129{147. Cleaveland, R. (1996, July). Ecient model checking via the equational -calculus. In Proc. 11th Symp. Logic in Comput. Sci., pp. 304{312. IEEE. Cohen, E. (1994a, April). Hypotheses in Kleene algebra. Available as ftp://ftp.bellcore.com/pub/ernie/research/homepage.html. Cohen, E. (1994b). Lazy caching. Available as ftp://ftp.bellcore.com/pub/ernie/research/homepage.html. Cohen, E. (1994c). Using Kleene algebra to reason about concurrency control. Available as ftp://ftp.bellcore.com/pub/ernie/research/homepage.html. Cohen, E., D. Kozen, and F. Smith (1996, July). The complexity of Kleene algebra with tests. Technical Report 96-1598, Computer Science Department, Cornell University. Constable, R. L. (1977, May). On the theory of programming logics. In Proc. 9th Symp. Theory of Comput., pp. 269{285. ACM. Constable, R. L. and M. O'Donnell (1978). A Programming Logic. Winthrop.
MIT Press Math7X9/2000/06/30:10:36 Page 427
References
427
Conway, J. H. (1971). Regular Algebra and Finite Machines. London: Chapman and Hall. Cook, S. A. (1971). The complexity of theorem proving procedures. In Proc. Third Symp. Theory of Computing, New York, pp. 151{158. Assoc. Comput. Mach. Cook, S. A. (1978). Soundness and completeness of an axiom system for program veri cation. SIAM J. Comput. 7, 70{80. Courcoubetis, C. and M. Yannakakis (1988, October). Verifying temporal properties of nite-state probabilistic programs. In Proc. 29th Symp. Foundations of Comput. Sci., pp. 338{345. IEEE. Cousot, P. (1990). Methods and logics for proving programs. In J. van Leeuwen (Ed.), Handbood of Theoretical Computer Science, Volume B, pp. 841{993. Amsterdam: Elsevier. Csirmaz, L. (1985). A completeness theorem for dynamic logic. Notre Dame J. Formal Logic 26, 51{60. Davis, M. D., R. Sigal, and E. J. Weyuker (1994). Computability, Complexity, and Languages: Fundamentals of Theoretical Computer Science. Academic Press. de Bakker, J. (1980). Mathematical Theory of Program Correctness. Prentice-Hall. Ehrenfeucht, A. (1961). An application of games in the completeness problem for formalized theories. Fund. Math. 49, 129{141. Emerson, E. A. (1985). Automata, tableax, and temporal logics. In R. Parikh (Ed.), Proc. Workshop on Logics of Programs, Volume 193 of Lect. Notes in Comput. Sci., pp. 79{88. Springer-Verlag. Emerson, E. A. (1990). Temporal and modal logic. In J. van Leeuwen (Ed.), Handbook of theoretical computer science, Volume B: formal models and semantics, pp. 995{1072. Elsevier. Emerson, E. A. and J. Y. Halpern (1985). Decision procedures and expressiveness in the temporal logic of branching time. J. Comput. Syst. Sci. 30 (1), 1{24. Emerson, E. A. and J. Y. Halpern (1986). \Sometimes" and \not never" revisited: on branching vs. linear time temporal logic. J. ACM 33 (1), 151{178. Emerson, E. A. and C. Jutla (1988, October). The complexity of tree automata and logics of programs. In Proc. 29th Symp. Foundations of Comput. Sci., pp. 328{337. IEEE. Emerson, E. A. and C. Jutla (1989, June). On simultaneously determinizing and complementing !-automata. In Proc. 4th Symp. Logic in Comput. Sci. IEEE. Emerson, E. A. and C.-L. Lei (1986, June). Ecient model checking in fragments of the propositional -calculus. In Proc. 1st Symp. Logic in Comput. Sci., pp. 267{278. IEEE. Emerson, E. A. and C. L. Lei (1987). Modalities for model checking: branching time strikes back. Sci. Comput. Programming 8, 275{306. Emerson, E. A. and P. A. Sistla (1984). Deciding full branching-time logic. Infor. and Control 61, 175{201. Engeler, E. (1967). Algorithmic properties of structures. Math. Syst. Theory 1, 183{195. Engelfriet, J. (1983). Iterated pushdown automata and complexity classes. In Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, Boston, Massachusetts, pp. 365{373. Erimbetov, M. M. (1981). On the expressive power of programming logics. In Proc. Alma-Ata Conf. Research in Theoretical Programming, pp. 49{68. In Russian. Feldman, Y. A. (1984). A decidable propositional dynamic logic with explicit probabilities. Infor. and Control 63, 11{38. Feldman, Y. A. and D. Harel (1984). A probabilistic dynamic logic. J. Comput. Syst. Sci. 28, 193{215. Ferman, A. and D. Harel (2000). In preparation. Fischer, M. J. and R. E. Ladner (1977). Propositional modal logic of programs. In Proc. 9th Symp. Theory of Comput., pp. 286{294. ACM.
MIT Press Math7X9/2000/06/30:10:36 Page 428
428
References
Fischer, M. J. and R. E. Ladner (1979). Propositional dynamic logic of regular programs. J. Comput. Syst. Sci. 18 (2), 194{211. Fischer, P. C. (1966). Turing machines with restricted memory access. Information and Control 9 (4), 364{379. Fischer, P. C., A. R. Meyer, and A. L. Rosenberg (1968). Counter machines and counter languages. Math. Systems Theory 2 (3), 265{283. Floyd, R. W. (1967). Assigning meanings to programs. In Proc. Symp. Appl. Math., Volume 19, pp. 19{31. AMS. Friedman, H. (1971). Algorithmic procedures, generalized Turing algorithms, and elementary recursion theory. In Gandy and Yates (Eds.), Logic Colloq. 1969, pp. 361{390. North-Holland. Gabbay, D. (1977). Axiomatizations of logics of programs. Unpublished. Gabbay, D., I. Hodkinson, and M. Reynolds (1994). Temporal Logic: Mathematical Foundations and Computational Aspects. Oxford University Press. Gabbay, D., A. Pnueli, S. Shelah, and J. Stavi (1980). On the temporal analysis of fairness. In Proc. 7th Symp. Princip. Prog. Lang., pp. 163{173. ACM. Garey, M. R. and D. S. Johnson (1979). Computers and Intractibility: A Guide to the Theory of NP-Completeness. W.H. Freeman. Godel, K. (1930). Die Vollstandigkeit der Axiome des logischen Funktionenkalkuls. Monatsh. Math. Phys. 37, 349{360. Goldblatt, R. (1982). Axiomatising the Logic of Computer Programming, Volume 130 of Lect. Notes in Comput. Sci. Springer-Verlag. Goldblatt, R. (1987). Logics of time and computation. Technical Report Lect. Notes 7, Center for the Study of Language and Information, Stanford Univ. Graham, R., D. Knuth, and O. Patashnik (1989). Concrete Mathematics: A Foundation for Computer Science. Addison-Wesley. Gratzer, G. (1978). Universal Algebra. Springer-Verlag. Greibach, S. (1975). Theory of Program Structures: Schemes, Semantics, Veri cation, Volume 36 of Lecture Notes in Computer Science. Springer Verlag. Gries, D. (1981). The Science of Programming. Springer-Verlag. Gries, D. and F. B. Schneider (1994). A Logical Approach to Discrete Math. Springer-Verlag. Third printing. Gurevich, Y. (1983). Algebras of feasible functions. In 24-th IEEE Annual Symposium on Foundations of Computer Science, pp. 210{214. Halmos, P. R. (1960). Naive Set Theory. Van Nostrand. Halpern, J. Y. (1981). On the expressive power of dynamic logic II. Technical Report TM-204, MIT/LCS. Halpern, J. Y. (1982). Deterministic process logic is elementary. In Proc. 23rd Symp. Found. Comput. Sci., pp. 204{216. IEEE. Halpern, J. Y. (1983). Deterministic process logic is elementary. Infor. and Control 57 (1), 56{89. Halpern, J. Y. and J. H. Reif (1981). The propositional dynamic logic of deterministic, well-structured programs. In Proc. 22nd Symp. Found. Comput. Sci., pp. 322{334. IEEE. Halpern, J. Y. and J. H. Reif (1983). The propositional dynamic logic of deterministic, well-structured programs. Theor. Comput. Sci. 27, 127{165. Hansson, H. and B. Jonsson (1994). A logic for reasoning about time and probability. Formal Aspects of Computing 6, 512{535. Harel, D. (1979). First-Order Dynamic Logic, Volume 68 of Lect. Notes in Comput. Sci. Springer-Verlag.
MIT Press Math7X9/2000/06/30:10:36 Page 429
References
429
Harel, D. (1984). Dynamic logic. In Gabbay and Guenthner (Eds.), Handbook of Philosophical Logic, Volume II: Extensions of Classical Logic, pp. 497{604. Reidel. Harel, D. (1985). Recurring dominoes: Making the highly undecidable highly understandable. Annals of Discrete Mathematics 24, 51{72. Harel, D. (1992). Algorithmics: The Spirit of Computing (second ed.). Addison-Wesley. Harel, D. and D. Kozen (1984). A programming language for the inductive sets, and applications. Information and Control 63 (1{2), 118{139. Harel, D., D. Kozen, and R. Parikh (1982). Process logic: Expressiveness, decidability, completeness. J. Comput. Syst. Sci. 25 (2), 144{170. Harel, D., A. R. Meyer, and V. R. Pratt (1977). Computability and completeness in logics of programs. In Proc. 9th Symp. Theory of Comput., pp. 261{268. ACM. Harel, D. and M. S. Paterson (1984). Undecidability of PDL with L = a2i i 0 . J. Comput. Syst. Sci. 29, 359{365. Harel, D. and D. Peleg (1985). More on looping vs. repeating in dynamic logic. Information Processing Letters 20, 87{90. Harel, D., A. Pnueli, and J. Stavi (1983). Propositional dynamic logic of nonregular programs. J. Comput. Syst. Sci. 26, 222{243. Harel, D., A. Pnueli, and M. Vardi (1982). Two dimensional temporal logic and PDL with intersection. Unpublished. Harel, D. and V. R. Pratt (1978). Nondeterminism in logics of programs. In Proc. 5th Symp. Princip. Prog. Lang., pp. 203{213. ACM. Harel, D. and D. Raz (1993). Deciding properties of nonregular programs. SIAM J. Comput. 22, 857{874. Harel, D. and D. Raz (1994). Deciding emptiness for stack automata on in nite trees. Information and Computation 113, 278{299. Harel, D. and R. Sherman (1982). Looping vs. repeating in dynamic logic. Infor. and Control 55, 175{192. Harel, D. and R. Sherman (1985). Propositional dynamic logic of owcharts. Infor. and Control 64, 119{135. Harel, D. and E. Singerman (1996). More on nonregular PDL: Finite models and Fibonacci-like programs. Information and Computation 128, 109{118. Hart, S., M. Sharir, and A. Pnueli (1982). Termination of probabilistic concurrent programs. In Proc. 9th Symp. Princip. Prog. Lang., pp. 1{6. ACM. Hartmanis, J. and R. E. Stearns (1965). On the complexity of algorithms. Trans. Amer. Math. Soc. 117, 285{306. Hartonas, C. (1998). Duality for modal -logics. Theor. Comput. Sci. 202 (1{2), 193{222. Henkin, L. (1949). The completeness of the rst order functional calculus. J. Symb. Logic 14, 159{166. Hennessy, M. C. B. and G. D. Plotkin (1979). Full abstraction for a simple programming language. In Proc. Symp. Semantics of Algorithmic Languages, Volume 74 of Lecture Notes in Computer Science, pp. 108{120. Springer-Verlag. Hitchcock, P. and D. Park (1972). Induction rules and termination proofs. In M. Nivat (Ed.), Int. Colloq. Automata Lang. Prog., pp. 225{251. North-Holland. Hoare, C. A. R. (1969). An axiomatic basis for computer programming. Comm. Assoc. Comput. Mach. 12, 576{580, 583. Hopcroft, J. E. and J. D. Ullman (1979). Introduction to Automata Theory, Languages and Computation. Addison-Wesley. Hopkins, M. and D. Kozen (1999, July). Parikh's theorem in commutative Kleene algebra. In Proc. Conf. Logic in Computer Science (LICS'99), pp. 394{401. IEEE. f
j
g
MIT Press Math7X9/2000/06/30:10:36 Page 430
430
References
Hughes, G. E. and M. J. Cresswell (1968). An Introduction to Modal Logic. Methuen. Huth, M. and M. Kwiatkowska (1997). Quantitative analysis and model checking. In Proc. 12th Symp. Logic in Comput. Sci., pp. 111{122. IEEE. Ianov, Y. I. (1960). The logical schemes of algorithms. In Problems of Cybernetics, Volume 1, pp. 82{140. Pergamon Press. Iwano, K. and K. Steiglitz (1990). A semiring on convex polygons and zero-sum cycle problems. SIAM J. Comput. 19 (5), 883{901. Jou, C. and S. Smolka (1990). Equivalences, congruences and complete axiomatizations for probabilistic processes. In Proc. CONCUR'90, Volume 458 of Lecture Notes in Comput. Sci., pp. 367{383. Springer-Verlag. Kaivola, R. (1997, April). Using Automata to Characterise Fixed Point Temporal Logics. Ph. D. thesis, University of Edinburgh. Report CST-135-97. Kamp, H. W. (1968). Tense logics and the theory of linear order. Ph. D. thesis, UCLA. Karp, R. M. (1972). Reducibility among combinatorial problems. In R. E. Miller and J. W. Thatcher (Eds.), Complexity of Computer Computations, pp. 85{103. Plenum Press. Keisler, J. (1971). Model Theory for In nitary Logic. North Holland. Kfoury, A. (1983). De nability by programs in rst-order structures. Theoretical Computer Science 25, 1{66. Kfoury, A. and A. Stolboushkin (1997). An in nite pebble game and applications. Information and Computation 136, 53{66. Kfoury, A. J. (1985). De nability by deterministic and nondeterministic programs with applications to rst-order dynamic logic. Infor. and Control 65 (2{3), 98{121. Kleene, S. C. (1943). Recursive predicates and quanti ers. Trans. Amer. Math. Soc. 53, 41{74. Kleene, S. C. (1952). Introduction to Metamathematics. D. van Nostrand. Kleene, S. C. (1955). On the forms of the predicates in the theory of constructive ordinals (second paper). Amer. J. Math. 77, 405{428. Kleene, S. C. (1956). Representation of events in nerve nets and nite automata. In C. E. Shannon and J. McCarthy (Eds.), Automata Studies, pp. 3{41. Princeton, N.J.: Princeton University Press. Knijnenburg, P. M. W. (1988, November). On axiomatizations for propositional logics of programs. Technical Report RUU-CS-88-34, Rijksuniversiteit Utrecht. Koren, T. and A. Pnueli (1983). There exist decidable context-free propositional dynamic logics. In Proc. Symp. on Logics of Programs, Volume 164 of Lecture Notes in Computer Science, pp. 290{312. Springer-Verlag. Kowalczyk, W., D. Niwinski, and J. Tiuryn (1987). A generalization of Cook's auxiliary{pushdown{automata theorem. Fundamenta Informaticae XII, 497{506. Kozen, D. (1979a). Dynamic algebra. In E. Engeler (Ed.), Proc. Workshop on Logic of Programs, Volume 125 of Lecture Notes in Computer Science, pp. 102{144. Springer-Verlag. chapter of Propositional dynamic logics of programs: A survey by Rohit Parikh. Kozen, D. (1979b). On the duality of dynamic algebras and Kripke models. In E. Engeler (Ed.), Proc. Workshop on Logic of Programs, Volume 125 of Lecture Notes in Computer Science, pp. 1{11. Springer-Verlag. Kozen, D. (1979c, October). On the representation of dynamic algebras. Technical Report RC7898, IBM Thomas J. Watson Research Center. Kozen, D. (1980a, May). On the representation of dynamic algebras II. Technical Report RC8290, IBM Thomas J. Watson Research Center. Kozen, D. (1980b, July). A representation theorem for models of *-free PDL. In Proc. 7th Colloq. Automata, Languages, and Programming, pp. 351{362. EATCS. Kozen, D. (1981a). Logics of programs. Lecture notes, Aarhus University, Denmark.
MIT Press Math7X9/2000/06/30:10:36 Page 431
References
431
Kozen, D. (1981b). On induction vs. *-continuity. In Kozen (Ed.), Proc. Workshop on Logic of Programs, Volume 131 of Lecture Notes in Computer Science, New York, pp. 167{176. Springer-Verlag. Kozen, D. (1981c). On the expressiveness of . Manuscript. Kozen, D. (1981d). Semantics of probabilistic programs. J. Comput. Syst. Sci. 22, 328{350. Kozen, D. (1982, July). Results on the propositional -calculus. In Proc. 9th Int. Colloq. Automata, Languages, and Programming, Aarhus, Denmark, pp. 348{359. EATCS. Kozen, D. (1983). Results on the propositional -calculus. Theor. Comput. Sci. 27, 333{354. Kozen, D. (1984, May). A Ramsey theorem with in nitely many colors. In Lenstra, Lenstra, and van Emde Boas (Eds.), Dopo Le Parole, pp. 71{72. Amsterdam: University of Amsterdam. Kozen, D. (1985, April). A probabilistic PDL. J. Comput. Syst. Sci. 30 (2), 162{178. Kozen, D. (1988). A nite model theorem for the propositional -calculus. Studia Logica 47 (3), 233{241. Kozen, D. (1990). On Kleene algebras and closed semirings. In Rovan (Ed.), Proc. Math. Found. Comput. Sci., Volume 452 of Lecture Notes in Computer Science, Banska-Bystrica, Slovakia, pp. 26{47. Springer-Verlag. Kozen, D. (1991a, July). A completeness theorem for Kleene algebras and the algebra of regular events. In Proc. 6th Symp. Logic in Comput. Sci., Amsterdam, pp. 214{225. IEEE. Kozen, D. (1991b). The Design and Analysis of Algorithms. New York: Springer-Verlag. Kozen, D. (1994a, May). A completeness theorem for Kleene algebras and the algebra of regular events. Infor. and Comput. 110 (2), 366{390. Kozen, D. (1994b). On action algebras. In J. van Eijck and A. Visser (Eds.), Logic and Information Flow, pp. 78{88. MIT Press. Kozen, D. (1996, March). Kleene algebra with tests and commutativity conditions. In T. Margaria and B. Steen (Eds.), Proc. Second Int. Workshop Tools and Algorithms for the Construction and Analysis of Systems (TACAS'96), Volume 1055 of Lecture Notes in Computer Science, Passau, Germany, pp. 14{33. Springer-Verlag. Kozen, D. (1997a). Automata and Computability. New York: Springer-Verlag. Kozen, D. (1997b, May). Kleene algebra with tests. Transactions on Programming Languages and Systems 19 (3), 427{443. Kozen, D. (1997c, June). On the complexity of reasoning in Kleene algebra. In Proc. 12th Symp. Logic in Comput. Sci., Los Alamitos, Ca., pp. 195{202. IEEE. Kozen, D. (1998, March). Typed Kleene algebra. Technical Report 98-1669, Computer Science Department, Cornell University. Kozen, D. (1999a, July). On Hoare logic and Kleene algebra with tests. In Proc. Conf. Logic in Computer Science (LICS'99), pp. 167{172. IEEE. Kozen, D. (1999b, July). On Hoare logic, Kleene algebra, and types. Technical Report 99-1760, Computer Science Department, Cornell University. Abstract in: Abstracts of 11th Int. Congress Logic, Methodology and Philosophy of Science, Ed. J. Cachro and K. Kijania-Placek, Krakow, Poland, August 1999, p. 15. To appear in: Proc. 11th Int. Congress Logic, Methodology and Philosophy of Science, ed. P. Gardenfors, K. Kijania-Placek and J. Wolenski, Kluwer. Kozen, D. and R. Parikh (1981). An elementary proof of the completeness of PDL. Theor. Comput. Sci. 14 (1), 113{118. Kozen, D. and R. Parikh (1983). A decision procedure for the propositional -calculus. In Clarke and Kozen (Eds.), Proc. Workshop on Logics of Programs, Volume 164 of Lecture Notes in Computer Science, pp. 313{325. Springer-Verlag. Kozen, D. and M.-C. Patron (2000, July). Certi cation of compiler optimizations using Kleene algebra with tests. In U. Furbach and M. Kerber (Eds.), Proc. 1st Int. Conf. Computational Logic, London. To appear.
MIT Press Math7X9/2000/06/30:10:36 Page 432
432
References
Kozen, D. and F. Smith (1996, September). Kleene algebra with tests: Completeness and decidability. In D. van Dalen and M. Bezem (Eds.), Proc. 10th Int. Workshop Computer Science Logic (CSL'96), Volume 1258 of Lecture Notes in Computer Science, Utrecht, The Netherlands, pp. 244{259. Springer-Verlag. Kozen, D. and J. Tiuryn (1990). Logics of programs. In van Leeuwen (Ed.), Handbook of Theoretical Computer Science, Volume B, pp. 789{840. Amsterdam: North Holland. Kreczmar, A. (1977). Programmability in elds. Fundamenta Informaticae I, 195{230. Kripke, S. (1963). Semantic analysis of modal logic. Zeitschr. f. math. Logik und Grundlagen d. Math. 9, 67{96. Krob, D. (1991, October). A complete system of B -rational identities. Theoretical Computer Science 89 (2), 207{343. Kuich, W. (1987). The Kleene and Parikh theorem in complete semirings. In T. Ottmann (Ed.), Proc. 14th Colloq. Automata, Languages, and Programming, Volume 267 of Lecture Notes in Computer Science, New York, pp. 212{225. EATCS: Springer-Verlag. Kuich, W. and A. Salomaa (1986). Semirings, Automata, and Languages. Berlin: Springer-Verlag. Ladner, R. E. (1977). Unpublished. Lamport, L. (1980). \Sometime" is sometimes \not never". Proc. 7th Symp. Princip. Prog. Lang., 174{185. Lehmann, D. and S. Shelah (1982). Reasoning with time and chance. Infor. and Control 53 (3), 165{198. Lewis, H. R. and C. H. Papadimitriou (1981). Elements of the Theory of Computation. Prentice Hall. Lipton, R. J. (1977). A necessary and sucient condition for the existence of Hoare logics. In Proc. 18th Symp. Found. Comput. Sci., pp. 1{6. IEEE. Luckham, D. C., D. Park, and M. Paterson (1970). On formalized computer programs. J. Comput. Syst. Sci. 4, 220{249. Mader, A. (1997, September). Veri cation of Modal Properties Using Boolean Equation Systems. Ph. D. thesis, Fakultt fr Informatik, Technische Universitt Mnchen. Makowski, J. A. (1980). Measuring the expressive power of dynamic logics: an application of abstract model theory. In Proc. 7th Int. Colloq. Automata Lang. Prog., Volume 80 of Lect. Notes in Comput. Sci., pp. 409{421. Springer-Verlag. Makowski, J. A. and I. Sain (1986). On the equivalence of weak second-order and nonstandard time semantics for various program veri cation systems. In Proc. 1st Symp. Logic in Comput. Sci., pp. 293{300. IEEE. Makowsky, J. A. and M. L. Tiomkin (1980). Probabilistic propositional dynamic logic. Manuscript. Manna, Z. (1974). Mathematical Theory of Computation. McGraw-Hill. Manna, Z. and A. Pnueli (1981). Veri cation of concurrent programs: temporal proof principles. In D. Kozen (Ed.), Proc. Workshop on Logics of Programs, Volume 131 of Lect. Notes in Comput. Sci., pp. 200{252. Springer-Verlag. Manna, Z. and A. Pnueli (1987, January). Speci cation and veri cation of concurrent programs by -automata. In Proc. 14th Symp. Principles of Programming Languages, pp. 1{12. ACM. McCulloch, W. S. and W. Pitts (1943). A logical calculus of the ideas immanent in nervous activity. Bull. Math. Biophysics 5, 115{143. Mehlhorn, K. (1984). Graph Algorithms and NP-Completeness, Volume II of Data Structures and Algorithms. Springer-Verlag. Meyer, A. R. and J. Y. Halpern (1982). Axiomatic de nitions of programming languages: a theoretical assessment. J. Assoc. Comput. Mach. 29, 555{576. 8
MIT Press Math7X9/2000/06/30:10:36 Page 433
References
433
Meyer, A. R. and R. Parikh (1981). De nability in dynamic logic. J. Comput. Syst. Sci. 23, 279{298. Meyer, A. R., R. S. Streett, and G. Mirkowska (1981). The deducibility problem in propositional dynamic logic. In E. Engeler (Ed.), Proc. Workshop Logic of Programs, Volume 125 of Lect. Notes in Comput. Sci., pp. 12{22. Springer-Verlag. Meyer, A. R. and J. Tiuryn (1981). A note on equivalences among logics of programs. In D. Kozen (Ed.), Proc. Workshop on Logics of Programs, Volume 131 of Lect. Notes in Comput. Sci., pp. 282{299. Springer-Verlag. Meyer, A. R. and J. Tiuryn (1984). Equivalences among logics of programs. Journal of Computer and Systems Science 29, 160{170. Meyer, A. R. and K. Winklmann (1982). Expressing program looping in regular dynamic logic. Theor. Comput. Sci. 18, 301{323. Miller, G. L. (1976). Riemann's hypothesis and tests for primality. J. Comput. Syst. Sci. 13, 300{317. Minsky, M. L. (1961). Recursive unsolvability of Post's problem of 'tag' and other topics in the theory of Turing machines. Ann. Math. 74 (3), 437{455. Mirkowska, G. (1971). On formalized systems of algorithmic logic. Bull. Acad. Polon. Sci. Ser. Sci. Math. Astron. Phys. 19, 421{428. Mirkowska, G. (1980). Algorithmic logic with nondeterministic programs. Fund. Informaticae III, 45{64. Mirkowska, G. (1981a). PAL|propositional algorithmic logic. In E. Engeler (Ed.), Proc. Workshop Logic of Programs, Volume 125 of Lect. Notes in Comput. Sci., pp. 23{101. Springer-Verlag. Mirkowska, G. (1981b). PAL|propositional algorithmic logic. Fund. Informaticae IV, 675{760. Morgan, C., A. McIver, and K. Seidel (1999). Probabilistic predicate transformers. ACM Trans. Programming Languages and Systems 8 (1), 1{30. Moschovakis, Y. N. (1974). Elementary Induction on Abstract Structures. North-Holland. Moschovakis, Y. N. (1980). Descriptive Set Theory. North-Holland. Muller, D. E., A. Saoudi, and P. E. Schupp (1988, July). Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time. In Proc. 3rd Symp. Logic in Computer Science, pp. 422{427. IEEE. Nemeti, I. (1980). Every free algebra in the variety generated by the representable dynamic algebras is separable and representable. Manuscript. Nemeti, I. (1981). Nonstandard dynamic logic. In D. Kozen (Ed.), Proc. Workshop on Logics of Programs, Volume 131 of Lect. Notes in Comput. Sci., pp. 311{348. Springer-Verlag. Ng, K. C. (1984). Relation Algebras with Transitive Closure. Ph. D. thesis, University of California, Berkeley. Ng, K. C. and A. Tarski (1977). Relation algebras with transitive closure, abstract 742-02-09. Notices Amer. Math. Soc. 24, A29{A30. Nishimura, H. (1979). Sequential method in propositional dynamic logic. Acta Informatica 12, 377{400. Nishimura, H. (1980). Descriptively complete process logic. Acta Informatica 14, 359{369. Niwinski, D. (1984). The propositional -calculus is more expressive than the propositional dynamic logic of looping. University of Warsaw. Parikh, R. (1978a). The completeness of propositional dynamic logic. In Proc. 7th Symp. on Math. Found. of Comput. Sci., Volume 64 of Lect. Notes in Comput. Sci., pp. 403{415. Springer-Verlag. Parikh, R. (1978b). A decidability result for second order process logic. In Proc. 19th Symp. Found. Comput. Sci., pp. 177{183. IEEE.
MIT Press Math7X9/2000/06/30:10:36 Page 434
434
References
Parikh, R. (1981). Propositional dynamic logics of programs: a survey. In E. Engeler (Ed.), Proc. Workshop on Logics of Programs, Volume 125 of Lect. Notes in Comput. Sci., pp. 102{144. Springer-Verlag. Parikh, R. (1983). Propositional game logic. In Proc. 23rd IEEE Symp. Foundations of Computer Science. Parikh, R. and A. Mahoney (1983). A theory of probabilistic programs. In E. Clarke and D. Kozen (Eds.), Proc. Workshop on Logics of Programs, Volume 164 of Lect. Notes in Comput. Sci., pp. 396{402. Springer-Verlag. Park, D. (1976). Finiteness is -ineable. Theor. Comput. Sci. 3, 173{181. Paterson, M. S. and C. E. Hewitt (1970). Comparative schematology. In Record Project MAC Conf. on Concurrent Systems and Parallel Computation, pp. 119{128. ACM. Pecuchet, J. P. (1986). On the complementation of Buchi automata. Theor. Comput. Sci. 47, 95{98. Peleg, D. (1987a). Communication in concurrent dynamic logic. J. Comput. Sys. Sci. 35, 23{58. Peleg, D. (1987b). Concurrent dynamic logic. J. Assoc. Comput. Mach. 34 (2), 450{479. Peleg, D. (1987c). Concurrent program schemes and their logics. Theor. Comput. Sci. 55, 1{45. Peng, W. and S. P. Iyer (1995). A new type of pushdown-tree automata on in nite trees. Int. J. of Found. of Comput. Sci. 6 (2), 169{186. Peterson, G. L. (1978). The power of tests in propositional dynamic logic. Technical Report 47, Comput. Sci. Dept., Univ. of Rochester. Pnueli, A. (1977). The temporal logic of programs. In Proc. 18th Symp. Found. Comput. Sci., pp. 46{57. IEEE. Pnueli, A. and L. D. Zuck (1986). Veri cation of multiprocess probabilistic protocols. Distributed Computing 1 (1), 53{72. Pnueli, A. and L. D. Zuck (1993, March). Probabilistic veri cation. Information and Computation 103 (1), 1{29. Post, E. (1943). Formal reductions of the general combinatorial decision problem. Amer. J. Math. 65, 197{215. Post, E. (1944). Recursively enumerable sets of positive natural numbers and their decision problems. Bull. Amer. Math. Soc. 50, 284{316. Pratt, V. (1988, June). Dynamic algebras as a well-behaved fragment of relation algebras. In D. Pigozzi (Ed.), Proc. Conf. on Algebra and Computer Science, Volume 425 of Lecture Notes in Computer Science, Ames, Iowa, pp. 77{110. Springer-Verlag. Pratt, V. (1990, September). Action logic and pure induction. In J. van Eijck (Ed.), Proc. Logics in AI: European Workshop JELIA '90, Volume 478 of Lecture Notes in Computer Science, New York, pp. 97{120. Springer-Verlag. Pratt, V. R. (1976). Semantical considerations on Floyd-Hoare logic. In Proc. 17th Symp. Found. Comput. Sci., pp. 109{121. IEEE. Pratt, V. R. (1978). A practical decision method for propositional dynamic logic. In Proc. 10th Symp. Theory of Comput., pp. 326{337. ACM. Pratt, V. R. (1979a, July). Dynamic algebras: examples, constructions, applications. Technical Report TM-138, MIT/LCS. Pratt, V. R. (1979b). Models of program logics. In Proc. 20th Symp. Found. Comput. Sci., pp. 115{122. IEEE. Pratt, V. R. (1979c). Process logic. In Proc. 6th Symp. Princip. Prog. Lang., pp. 93{100. ACM. Pratt, V. R. (1980a). Dynamic algebras and the nature of induction. In Proc. 12th Symp. Theory of Comput., pp. 22{28. ACM. Pratt, V. R. (1980b). A near-optimal method for reasoning about actions. J. Comput. Syst. Sci. 20 (2), 231{254.
MIT Press Math7X9/2000/06/30:10:36 Page 435
References
435
Pratt, V. R. (1981a). A decidable -calculus: preliminary report. In Proc. 22nd Symp. Found. Comput. Sci., pp. 421{427. IEEE. Pratt, V. R. (1981b). Using graphs to understand PDL. In D. Kozen (Ed.), Proc. Workshop on Logics of Programs, Volume 131 of Lect. Notes in Comput. Sci., pp. 387{396. Springer-Verlag. Rabin, M. O. (1969). Decidability of second order theories and automata on in nite trees. Trans. Amer. Math. Soc. 141, 1{35. Rabin, M. O. (1980). Probabilistic algorithms for testing primality. J. Number Theory 12, 128{138. Rabin, M. O. and D. S. Scott (1959). Finite automata and their decision problems. IBM J. Res. Develop. 3 (2), 115{125. Ramshaw, L. H. (1981). Formalizing the analysis of algorithms. Ph. D. thesis, Stanford Univ. Rasiowa, H. and R. Sikorski (1963). Mathematics of Metamathematics. Polish Scienti c Publishers, PWN. Redko, V. N. (1964). On de ning relations for the algebra of regular events. Ukrain. Mat. Z. 16, 120{126. In Russian. Reif, J. (1980). Logics for probabilistic programming. In Proc. 12th Symp. Theory of Comput., pp. 8{13. ACM. Renegar, J. (1991). Computational complexity of solving real algebraic formulae. In Proc. Int. Congress of Mathematicians, pp. 1595{1606. Springer-Verlag. Rice, H. G. (1953). Classes of recursively enumerable sets and their decision problems. Trans. Amer. Math. Soc. 89, 25{59. Rice, H. G. (1956). On completely recursively enumerable classes and their key arrays. J. Symbolic Logic 21, 304{341. Rogers, H. (1967). Theory of Recursive Functions and Eective Computability. McGraw-Hill. Rogers, Jr., H. (1967). Theory of Recursive Functions and Eective Computability. McGraw-Hill. Rosen, K. H. (1995). Discrete Mathematics and Its Applications (3rd ed.). McGraw-Hill. Safra, S. (1988, October). On the complexity of !-automata. In Proc. 29th Symp. Foundations of Comput. Sci., pp. 319{327. IEEE. Sakarovitch, J. (1987). Kleene's theorem revisited: A formal path from Kleene to Chomsky. In A. Kelemenova and J. Keleman (Eds.), Trends, Techniques, and Problems in Theoretical Computer Science, Volume 281 of Lecture Notes in Computer Science, New York, pp. 39{50. Springer-Verlag. Salomaa, A. (1966, January). Two complete axiom systems for the algebra of regular events. J. Assoc. Comput. Mach. 13 (1), 158{169. Salomaa, A. (1981). Jewels of Formal Language Theory. Pitman Books Limited. Salwicki, A. (1970). Formalized algorithmic languages. Bull. Acad. Polon. Sci. Ser. Sci. Math. Astron. Phys. 18, 227{232. Salwicki, A. (1977). Algorithmic logic: a tool for investigations of programs. In Butts and Hintikka (Eds.), Logic Foundations of Mathematics and Computability Theory, pp. 281{295. Reidel. Saudi, A. (1989). Pushdown automata on in nite trees and omega-Kleene closure of context-free tree sets. In Proc. Math. Found. of Comput. Sci., Volume 379 of Lecture Notes in Computer Science, pp. 445{457. Springer-Verlag. Sazonov, V. (1980). Polynomial computability and recursivity in nite domains. Elektronische Informationsverarbeitung und Kibernetik 16, 319{323. Scott, D. S. and J. W. de Bakker (1969). A theory of programs. IBM Vienna. Segala, R. and N. Lynch (1994). Probabilistic simulations for probabilistic processes. In Proc. CONCUR'94, Volume 836 of Lecture Notes in Comput. Sci., pp. 481{496. Springer-Verlag.
MIT Press Math7X9/2000/06/30:10:36 Page 436
436
References
Segerberg, K. (1977). A completeness theorem in the modal logic of programs (preliminary report). Not. Amer. Math. Soc. 24 (6), A{552. Shoen eld, J. R. (1967). Mathematical Logic. Addison-Wesley. Sholz, H. (1952). Ein ungelostes Problem in der symbolischen Logik. The Journal of Symbolic Logic 17, 160. Sistla, A. P. and E. M. Clarke (1982). The complexity of propositional linear temporal logics. In Proc. 14th Symp. Theory of Comput., pp. 159{168. ACM. Sistla, A. P., M. Y. Vardi, and P. Wolper (1987). The complementation problem for Buchi automata with application to temporal logic. Theor. Comput. Sci. 49, 217{237. Soare, R. I. (1987). Recursively Enumerable Sets and Degrees. Springer-Verlag. Sokolsky, O. and S. Smolka (1994, June). Incremental model checking in the modal -calculus. In D. Dill (Ed.), Proc. Conf. Computer Aided Veri cation, Volume 818 of Lect. Notes in Comput. Sci., pp. 352{363. Springer. Steen, B., T. Margaria, A. Classen, V. Braun, R. Nisius, and M. Reitenspiess (1996, March). A constraint oriented service environment. In T. Margaria and B. Steen (Eds.), Proc. Second Int. Workshop Tools and Algorithms for the Construction and Analysis of Systems (TACAS'96), Volume 1055 of Lect. Notes in Comput. Sci., pp. 418{421. Springer. Stirling, C. (1992). Modal and temporal logics. In S. Abramsky, D. Gabbay, and T. Maibaum (Eds.), Handbook of Logic in Computer Science, pp. 477{563. Clarendon Press. Stirling, C. and D. Walker (1989, March). Local model checking in the modal -calculus. In Proc. Int. Joint Conf. Theory and Practice of Software Develop. (TAPSOFT89), Volume 352 of Lect. Notes in Comput. Sci., pp. 369{383. Springer. Stockmeyer, L. J. and A. R. Meyer (1973). Word problems requiring exponential time. In Proc. 5th Symp. Theory of Computing, New York, pp. 1{9. ACM: ACM. Stolboushkin, A. (1983). Regular dynamic logic is not interpretable in deterministic context-free dynamic logic. Information and Computation 59, 94{107. Stolboushkin, A. (1989, June). Some complexity bounds for dynamic logic. In Proc. 4th Symp. Logic in Comput. Sci., pp. 324{332. IEEE. Stolboushkin, A. P. and M. A. Taitslin (1983). Deterministic dynamic logic is strictly weaker than dynamic logic. Infor. and Control 57, 48{55. Stone, M. H. (1936). The representation theorem for Boolean algebra. Trans. Amer. Math. Soc. 40, 37{111. Streett, R. (1985a). Fixpoints and program looping: reductions from the propositional -calculus into propositional dynamic logics of looping. In Parikh (Ed.), Proc. Workshop on Logics of Programs 1985, pp. 359{372. Springer. Lect. Notes in Comput. Sci. 193. Streett, R. and E. A. Emerson (1984). The propositional -calculus is elementary. In Proc. 11th Int. Colloq. on Automata Languages and Programming, pp. 465{472. Springer. Lect. Notes in Comput. Sci. 172. Streett, R. S. (1981). Propositional dynamic logic of looping and converse. In Proc. 13th Symp. Theory of Comput., pp. 375{381. ACM. Streett, R. S. (1982). Propositional dynamic logic of looping and converse is elementarily decidable. Infor. and Control 54, 121{141. Streett, R. S. (1985b). Fixpoints and program looping: reductions from the propositional -calculus into propositional dynamic logics of looping. In R. Parikh (Ed.), Proc. Workshop on Logics of Programs, Volume 193 of Lect. Notes in Comput. Sci., pp. 359{372. Springer-Verlag. Tarjan, R. E. (1981). A uni ed approach to path problems. J. Assoc. Comput. Mach., 577{593. Tarski, A. (1935). Die Wahrheitsbegri in den formalisierten Sprachen. Studia Philosophica 1, 261{405. Thiele, H. (1966). Wissenschaftstheoretische untersuchungen in algorithmischen sprachen. In
MIT Press Math7X9/2000/06/30:10:36 Page 437
References
437
Theorie der Graphschemata-Kalkale Veb Deutscher Verlag der Wissenschaften. Berlin. Thomas, W. (1997, May). Languages, automata, and logic. Technical Report 9607, Christian-Albrechts-Universitat Kiel. Tiuryn, J. (1981a). A survey of the logic of eective de nitions. In E. Engeler (Ed.), Proc. Workshop on Logics of Programs, Volume 125 of Lect. Notes in Comput. Sci., pp. 198{245. Springer-Verlag. Tiuryn, J. (1981b). Unbounded program memory adds to the expressive power of rst-order programming logics. In Proc. 22nd Symp. Found. Comput. Sci., pp. 335{339. IEEE. Tiuryn, J. (1984). Unbounded program memory adds to the expressive power of rst-order programming logics. Infor. and Control 60, 12{35. Tiuryn, J. (1986). Higher-order arrays and stacks in programming: an application of complexity theory to logics of programs. In Gruska and Rovan (Eds.), Proc. Math. Found. Comput. Sci., Volume 233 of Lect. Notes in Comput. Sci., pp. 177{198. Springer-Verlag. Tiuryn, J. (1989). A simpli ed proof of DDL < DL. Information and Computation 81, 1{12. Tiuryn, J. and P. Urzyczyn (1983). Some relationships between logics of programs and complexity theory. In Proc. 24th Symp. Found. Comput. Sci., pp. 180{184. IEEE. Tiuryn, J. and P. Urzyczyn (1984). Remarks on comparing expressive power of logics of programs. In Chytil and Koubek (Eds.), Proc. Math. Found. Comput. Sci., Volume 176 of Lect. Notes in Comput. Sci., pp. 535{543. Springer-Verlag. Tiuryn, J. and P. Urzyczyn (1988). Some relationships between logics of programs and complexity theory. Theor. Comput. Sci. 60, 83{108. Trnkova, V. and J. Reiterman (1980). Dynamic algebras which are not Kripke structures. In Proc. 9th Symp. on Math. Found. Comput. Sci., pp. 528{538. Turing, A. M. (1936). On computable numbers with an application to the Entscheidungsproblem. Proc. London Math. Soc. 42, 230{265. Erratum: Ibid., 43 (1937), pp. 544{546. Urzyczyn, P. (1983a). A necessary and sucient condition in order that a Herbrand interpretation be expressive relative to recursive programs. Information and Control 56, 212{219. Urzyczyn, P. (1983b). Nontrivial de nability by owchart programs. Infor. and Control 58, 59{87. Urzyczyn, P. (1983c). The Unwind Property. Ph. D. thesis, Warsaw University. In Polish. Urzyczyn, P. (1986). \During" cannot be expressed by \after". Journal of Computer and System Sciences 32, 97{104. Urzyczyn, P. (1987). Deterministic context-free dynamic logic is more expressive than deterministic dynamic logic of regular programs. Fundamenta Informaticae 10, 123{142. Urzyczyn, P. (1988). Logics of programs with Boolean memory. Fundamenta Informaticae XI, 21{40. Valiev, M. K. (1980). Decision complexity of variants of propositional dynamic logic. In Proc. 9th Symp. Math. Found. Comput. Sci., Volume 88 of Lect. Notes in Comput. Sci., pp. 656{664. Springer-Verlag. van Dalen, D. (1994). Logic and Structure (Third ed.). Springer-Verlag. van Emde Boas, P. (1978). The connection between modal logic and algorithmic logics. In Symp. on Math. Found. of Comp. Sci., pp. 1{15. Vardi, M. (1998a). Linear vs. branching time: a complexity-theoretic perspective. In Proc. 13th Symp. Logic in Comput. Sci., pp. 394{405. IEEE. Vardi, M. and P. Wolper (1986a). Automata-theoretic techniques for modal logics of programs. J. Comput. Sys. Sci. 32, 183{221. Vardi, M. Y. (1985a, October). Automatic veri cation of probabilistic concurrent nite-state
MIT Press Math7X9/2000/06/30:10:36 Page 438
438
References
programs. In Proc. 26th Symp. Found. Comput. Sci., pp. 327{338. IEEE. Vardi, M. Y. (1985b). The taming of the converse: reasoning about two-way computations. In R. Parikh (Ed.), Proc. Workshop on Logics of Programs, Volume 193 of Lect. Notes in Comput. Sci., pp. 413{424. Springer-Verlag. Vardi, M. Y. (1987, June). Veri cation of concurrent programs: the automata-theoretic framework. In Proc. 2nd Symp. Logic in Comput. Sci., pp. 167{176. IEEE. Vardi, M. Y. (1998b, July). Reasoning about the past with two-way automata. In Proc. 25th Int. Colloq. Automata Lang. Prog., Volume 1443 of Lect. Notes in Comput. Sci., pp. 628{641. Springer-Verlag. Vardi, M. Y. and L. Stockmeyer (1985, May). Improved upper and lower bounds for modal logics of programs: preliminary report. In Proc. 17th Symp. Theory of Comput., pp. 240{251. ACM. Vardi, M. Y. and P. Wolper (1986b, June). An automata-theoretic approach to automatic program veri cation. In Proc. 1st Symp. Logic in Computer Science, pp. 332{344. IEEE. Vardi, M. Y. and P. Wolper (1986c). Automata-theoretic techniques for modal logics of programs. J. Comput. Syst. Sci. 32, 183{221. Walukiewicz, I. (1993, June). Completeness result for the propositional -calculus. In Proc. 8th IEEE Symp. Logic in Comput. Sci. Walukiewicz, I. (1995, June). Completeness of Kozen's axiomatisation of the propositional -calculus. In Proc. 10th Symp. Logic in Comput. Sci., pp. 14{24. IEEE. Walukiewicz, I. (2000, February{March). Completeness of Kozen's axiomatisation of the propositional -calculus. Infor. and Comput. 157 (1{2), 142{182. Wand, M. (1978). A new incompleteness result for Hoare's system. J. Assoc. Comput. Mach. 25, 168{175. Whitehead, A. N. and B. Russell (1910{1913). Principia Mathematica. Cambridge University Press. Three volumes. Wolper, P. (1981). Temporal logic can be more expressive. In Proc. 22nd Symp. Foundations of Computer Science, pp. 340{348. IEEE. Wolper, P. (1983). Temporal logic can be more expressive. Infor. and Control 56, 72{99.
MIT Press Math7X9/2000/06/30:10:36 Page 439
Notation and Abbreviations
Z Q R N !
=)
! () $ i def =
def () jj A
" wR A; B; C; : : :
2
#A 2A
?
A[B A\B SA T
A
B;A A AB Q A 2I An
integers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 rational numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 real numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 natural numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 nite ordinals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 meta-implication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 implication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 meta-equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 equivalence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 if and only if . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 de nition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 de nition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 length of a sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 set of all nite strings over A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 empty string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 reverse of a string . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 set containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 set inclusion, subset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 strict inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 cardinality of a set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 powerset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 empty set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 intersection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 union . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 intersection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 complement of A in B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 complement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Cartesian product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Cartesian product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Cartesian power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 projection function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
MIT Press Math7X9/2000/06/30:10:36 Page 440
440
ZFC
P; Q; R; : : :
?
R(a1 ; : : : ; an ) aRb
Rn ;
R+ R [a] f; g; h; : : : f :A!B A!B BA
7!
f ;1 f [a=b] sup B WFI
; ; ; : : :
Ord ZF
y
curry `; a xy
; ; ; : : :
Notation and Abbreviations
Zermelo{Fraenkel set theory with choice . . . . . . . . . . . . . . . . . . . . . 4 relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 empty relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 (a1 ; : : : ; an ) 2 R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 (a; b) 2 R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 relational composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 identity relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 n-fold composition of a binary relation . . . . . . . . . . . . . . . . . . . . . . 7 converse.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 transitive closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 re exive transitive closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 equivalence class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 function with domain A and range B . . . . . . . . . . . . . . . . . . . . . . . . 9 function space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 function space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 anonymous function speci er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 function restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 function composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 inverse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 function patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 supremum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 well-founded induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 ordinals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 class of all ordinals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Zermelo{Fraenkel set theory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 least pre xpoint operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 currying operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 endmarkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 blank symbol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 transition function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Turing machine con gurations.. . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
MIT Press Math7X9/2000/06/30:10:36 Page 441
Notation and Abbreviations
1 ;! M;x
441
next con guration relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 z [i=b] string replacement operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 1 ;! re exive transitive closure of ;! . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 M;x M;x L(M ) strings accepted by a Turing machine. . . . . . . . . . . . . . . . . . . . . . .30 transition relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 HP halting problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 MP membership problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 DTIME (f (n)) deterministic time complexity class . . . . . . . . . . . . . . . . . . . . . . . . . 39 NTIME (f (n)) nondeterministic time complexity class . . . . . . . . . . . . . . . . . . . . . 39 ATIME (f (n)) alternating time complexity class . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 DSPACE (f (n)) deterministic space complexity class . . . . . . . . . . . . . . . . . . . . . . . . 39 NSPACE (f (n)) nondeterministic space complexity class . . . . . . . . . . . . . . . . . . . . 39 ASPACE (f (n)) alternating space complexity class . . . . . . . . . . . . . . . . . . . . . . . . . . 39 EXPTIME deterministic exponential time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 NEXPTIME nondeterministic exponential time . . . . . . . . . . . . . . . . . . . . . . . . . . 40 P deterministic polynomial time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 NP nondeterministic polynomial time . . . . . . . . . . . . . . . . . . . . . . . . . . 40 M [B ] oracle Turing machine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 0 1 r.e. sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 0 1 co-r.e. sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 0 1 recursive sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 0n ; 0n ; 0n arithmetic hierarchy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 1 1 second-order universal relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 1 1 hyperarithmetic relations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 IND programming language for inductive sets . . . . . . . . . . . . . . . . . . . 45 !1 least uncountable ordinal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 !1ck least nonrecursive ordinal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 ord labeling of well-founded tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50 m many-one reducibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 log m logspace reducibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 pm polynomial-time reducibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54 satis ability relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
MIT Press Math7X9/2000/06/30:10:36 Page 442
442
Th ` :
p; q; r; : : :
^ _ 1 0
'; ; ; : : : S, K DN MP EFQ
a; b; c; : : : =
x; y; : : : s; t; : : : T (X ) T A = (A; mA ) mA
fA
jAj
T (X ) u; v; w; : : : tA
Mod Th A Th D [a]
a b (mod n) a b (I )
Notation and Abbreviations
logical consequences of a set of formulas . . . . . . . . . . . . . . . . . . . . 69 provability relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 atomic propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 conjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 disjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 truth. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71 falsity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 propositional formulas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 axioms of propositional logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 double negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 modus ponens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77 e falso quodlibet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 vocabulary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 constants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 equality symbol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 individual variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 set of terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 ground terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87 -algebra .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 meaning function. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88 meaning of a function in a structure . . . . . . . . . . . . . . . . . . . . . . . . 88 carrier of a structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 term algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 valuations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 meaning of a ground term in a structure. . . . . . . . . . . . . . . . . . . .90 models of a set of formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 theory of a structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 theory of a class of structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 congruence class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 number theoretic congruence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 congruence modulo an ideal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
MIT Press Math7X9/2000/06/30:10:36 Page 443
Notation and Abbreviations
/
443
normal subgroup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 A= quotient algebra. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 REF re exivity rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 SYM symmetry rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 TRANS transitivity rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 CONG congruence rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Q product algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 i2I Ai H closure operator for homomorphic images . . . . . . . . . . . . . . . . . 101 S closure operator for subalgebras . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 P closure operator for products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 8 universal quanti er. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102 9 existential quanti er . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 p; q; r; : : : predicate symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 '; ; ; : : : rst-order formulas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 p(t1 ; : : : ; tn ) atomic formula. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 L!! rst-order predicate logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 '[x1 =t1 ; : : : ; xn =tn ] simultaneous substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 '[xi =ti j 1 i n] simultaneous substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 A = (A; mA ) relational structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105 GEN generalization rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 V ' in nitary conjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 W2A ' in nitary disjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 2A 2 modal necessity operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 3 modal possibility operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 K = (K; RK ; mK ) Kripke frame for modal logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 GEN modal generalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 a; b; c; : : : modalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 [a] multimodal necessity operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 multimodal possibility operator . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 K = (K; mK ) Kripke frame for multimodal logic. . . . . . . . . . . . . . . . . . . . . . . . .131 rst() rst state of a path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 last() last state of a path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 x := t assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
MIT Press Math7X9/2000/06/30:10:36 Page 444
444
; '? [ ; ; : : : CS () f'g f g '; ; : : : ; ; ; : : : a; b; c; : : : 0
p; q; r; : : : 0
[] <>
skip fail
K = (K; mK ) mK
u; v; w; : : : RTC LI IND FL(') FL2 (') K=FL(') PDA
a ba
PDL + L SkS CFL
Notation and Abbreviations
sequential composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 nondeterministic choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 iteration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 seqs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150 computation sequences of a program . . . . . . . . . . . . . . . . . . . . . . 150 partial correctness assertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 propositions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164 programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 atomic programs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 set of atomic programs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 atomic propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 set of atomic propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 set of programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 set of propositions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 DL box operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 DL diamond operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 null program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 failing program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Kripke frame for PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 meaning function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 re exive transitive closure rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 loop invariance rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 induction axiom. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182 Fischer{Ladner closure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Fischer{Ladner closure auxiliary function . . . . . . . . . . . . . . . . . 191 ltration of a Kripke frame. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 pushdown automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 a nonregular program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 extension of PDL with a nonregular program .. . . . . . . . . . . . . 229 monadic second-order theory of k successors.. . . . . . . . . . . . . .229 context-free language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
MIT Press Math7X9/2000/06/30:10:36 Page 445
Notation and Abbreviations
UDH PTA
445
unique diamond path Hintikka tree. . . . . . . . . . . . . . . . . . . . . . . .241 pushdown tree automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 A` local automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 A2 box automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 A3 diamond automaton. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 DWP deterministic while programs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 WP nondeterministic while programs . . . . . . . . . . . . . . . . . . . . . . . . . 260 DPDL deterministic PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 SPDL strict PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 SDPDL strict deterministic PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 ( i ) programs with nesting of tests at most i . . . . . . . . . . . . . . . . . . .264 PDL(i) PDL with programs in (i) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 (0) PDL test-free PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 APDL automata PDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 ; complement of a program .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 \ intersection of programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 IPDL PDL with intersection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 ; converse operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 TC ('; ; ) total correctness assertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 least xed point operator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 wf well-foundedness predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 halt halt predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 loop loop operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 repeat, repeat operator .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 RPDL PDL with well-foundedness predicate . . . . . . . . . . . . . . . . . . . . . . 272 LPDL PDL with halt predicate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 CRPDL RPDL with converse.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 CLPDL LPDL with converse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 ^ concurrency operator.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 F (t1 ; : : : ; tn ) := t array assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 push(t) push instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 pop(y) pop instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 x := ? wildcard assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
MIT Press Math7X9/2000/06/30:10:36 Page 446
446
wa
Notation and Abbreviations
constant valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293 DL(r.e.) DL with r.e. programs.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 DL(array) DL with array assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 DL(stk) DL with algebraic stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 DL(bstk) DL with Boolean stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 DL(wild) DL with wildcard assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 DL(dreg) DL with while programs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 DL1 DL2 no more expressive than. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 DL1 < DL2 strictly less expressive than . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 DL1 DL2 equivalent in expressive power. . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 DL(rich-test r.e.) rich test DL of r.e. programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 L!1ck! constructive in nitary logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 DL1 N DL2 relative expressiveness over N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 CA natural chain in a structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Aw expansion of a structure by constants . . . . . . . . . . . . . . . . . . . . . 318 Nextm program computing a natural chain . . . . . . . . . . . . . . . . . . . . . . . 318 Sn collection of n-element structures. . . . . . . . . . . . . . . . . . . . . . . . . .319 pAq code of a structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 SPm () mth spectrum of a program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 SP (K ) spectrum of a class of programs .. . . . . . . . . . . . . . . . . . . . . . . . . . 320 Hm language of codes of structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 SP (K ) C spectrum SP (K ) captures complexity class C . . . . . . . . . . . . . 322 APDA auxiliary pushdown automaton . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 `S1 provability in DL Axiom System 14.2 . . . . . . . . . . . . . . . . . . . . . .328 '[x=t] substitution into DL formulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 `S2 provability in DL Axiom System 14.6 . . . . . . . . . . . . . . . . . . . . . .331 `S3 provability in DL Axiom System 14.9 . . . . . . . . . . . . . . . . . . . . . .335 `S4 provability in DL Axiom System 14.12. . . . . . . . . . . . . . . . . . . . .337 FV () free variables of an abstract program . . . . . . . . . . . . . . . . . . . . . . 344 K1 K2 translatability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347 K1 T K2 termination subsumption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Tn full binary tree of depth n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355 Ltr () L-trace of a computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
MIT Press Math7X9/2000/06/30:10:36 Page 447
Notation and Abbreviations
447
Cmp (; A) computations of a program in a set. . . . . . . . . . . . . . . . . . . . . . . .356 LtrCmp (; A; n) L-traces of length at most n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Gn structure arising from an Adian group. . . . . . . . . . . . . . . . . . . . .366 N (C; k) k-neighborhood of a subset of N . . . . . . . . . . . . . . . . . . . . . . . . . . .371 AL Algorithmic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383 NDL Nonstandard Dynamic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 `HL provability in Hoare Logic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385 I time model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 NT satis ability in nonstandard time semantics . . . . . . . . . . . . . . . 386 LDL DL with halt predicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 RDL DL with well-foundedness predicate . . . . . . . . . . . . . . . . . . . . . . . 386 Pr(DL) probabilistic DL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391 LED Logic of Eective De nitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 TL Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 2' box operator of temporal logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398 3' diamond operator of temporal logic . . . . . . . . . . . . . . . . . . . . . . . 398 e' nexttime operator of temporal logic . . . . . . . . . . . . . . . . . . . . . . . 398 at Li at statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Next next relation of TL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 n niteness predicate of TL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 inf in niteness predicate of TL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 until until operator of TL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405 A temporal operator \for all traces" .. . . . . . . . . . . . . . . . . . . . . . . . 406 E temporal operator \there exists a trace". . . . . . . . . . . . . . . . . . .406 PL Process Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 rst temporal operator of PL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 until temporal operator of PL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408 rst() rst state in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 last() last state in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409 [[ ]] trace operator of PL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412 << >> trace operator of PL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412 X:'(X ) least xpoint of '(X ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 KA Kleene algebra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
MIT Press Math7X9/2000/06/30:10:36 Page 448
448
KAT
b
Notation and Abbreviations
Kleene algebra with tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421 negation of a Boolean element in KAT . . . . . . . . . . . . . . . . . . . . .421
MIT Press Math7X9/2000/06/30:10:36 Page 449
Index
* operator, See iteration operator *-continuity, 419 *-continuous Kleene algebra, See Kleene algebra *-continuous dynamic algebra, See dynamic algebra A-validity, 297 Abelian group, 92 accept con guration, 35 acceptable structure, 311 acceptance, 28, 30, 35, 36 accepting subtree, 35 accessibility relation, 127 acyclic, 13 Adian structure, 365, 380 admissibility, 347, 379 AEXPSPACE , 40 AEXPTIME , 40 AL, See Algorithmic Logic algebra dynamic, See dynamic algebra Kleene, See Kleene algebra -, 88 term, 89 algebraic stack, 290 Algorithmic Logic, 383{384, 394 ALOGSPACE , 39 -recursion theory, 64 alternating Turing machine, See Turing machine analytic hierarchy, 45 and-con guration, 35 annihilator, 22 anti-monotone, 26 antichain, 11 antisymmetric, 6 APSPACE, 40 APTIME, 39 argument of a function, 9 arithmetic hierarchy, 42{45 arithmetical completeness, 334, 335, 338, 341 structure, 308, 311, 334 arity, 5, 283, 288 array, 288 assignment, 288 variable, 288 nullary, 292 as expressive as, 229, 304 assignment
array, 288 nondeterministic, See wildcard random, 290 rule, 156 simple, 147, 283, 284 wildcard, xiii, 288, 290, 377, 380 associativity, 83, 166 asterate, 3, 98 ATIME , 39 atom, 82 atomic formula, 284 program, 147, 283, 284 symbol, 164 test, 147 automata PDL, 267 automaton auxiliary pushdown, 324, 351 box, 245 counter, 63 diamond, 247 nite, 131, 266 local, 244 !-, 266 pushdown, 227 pushdown k-ary !-tree, 242 auxiliary pushdown automaton, See automaton axiom, 69 of choice, 16 of regularity, 16 scheme, 71 axiomatization DL, 327{341 equational logic, 99 equational theory of regular sets, 420 in nitary logic, 122 -calculus, 417 PDL, 173{174, 203 PL, 411 predicate logic, 111 with equality, 115 propositional logic, 77, 82 bijective, 10 binary, 6 function symbol, 86 nondeterminism, 377 relation, 6{8, 420 Birkho's theorem, 140 Boolean algebra, 82, 86, 93, 136, 138 of sets, 137, 138 Boolean satis ability, See satis ability, propositional
MIT Press Math7X9/2000/06/30:10:36 Page 450
450
bound occurrence of a variable, 104 bounded memory, 287, 369 box automaton, 245 operator, 165, 398 branching-time TL, 398 Buchi acceptance, 243 canonical homomorphism, 96 Cantor's set theory, 5 capture of a complexity class by a spectrum, 322 of a variable by a quanti er, 104 cardinality, 4 of FL('), 194 carrier, 88, 105, 291 Cartesian power, 4 product, 4 chain, 16 of sets, 17 change of bound variable, 109 choice axiom of, 16 operator, xiv, 164 class, 5 closed, 18 formula, 105 closure congruence, 95, 99 Fischer{Ladner, 191{195, 267 of a variety under homomorphic images, 93 operator, 19 ordinal, 21, 51 universal, 105 CLPDL, 274 co-r.e., 42 in B, 41 coarsest common re nement, 9 coding of nite structures, 318, 320 coinductive, 50 commutativity, 83 compactness, 122, 142, 181, 210, 220, 303 rst-order, 115{116 propositional, 81{82 comparative schematology, 347, 378 complete disjunctive normal form, 83 complete lattice, 13 completeness, 303 DL, 341 equational logic, 99{100 rst-order, 112{115 with equality, 115 for a complexity class, 57
Index
for termination assertions, 341 in nitary logic, 124{126 LED, 397 -calculus, 418 of a deductive system, 70 of a set of connectives, 75, 135 PDL, 203{209 propositional logic, 79{81 relative, 341 TL, 407 complexity, 38{40 class, 57 of DL, 313 of DL, 313{324 of in nitary logic, 126{127 of PDL, 211{224 of spectra, 321 composition, 148, 175 functional, 10, 54 operator, 164 relational, 7, 168 rule, 156, 186 sequential, xiv compositionality, 157 comprehension, 5 computability, 27 relative, 40{41 computation, 356, 364 formal, 356 history, 44 legal, 365 on an in nite tree, 243 sequence, 150, 170 strongly r-periodic, 365 terminating, 356 upward periodic, 365 computational complexity, 64 conclusion, 70 concurrent DL, 393 concurrent PDL, 277 concurrent systems, 406 conditional, 148, 167 rule, 156, 186 con guration, 29, 243 n-, 370 congruence, 94 class, 94 closure, See closure connective, 71 coNP , 57 -completeness, 57 -hardness, 57 consequence
MIT Press Math7X9/2000/06/30:10:36 Page 451
Index
deductive, 70 logical, 69, 91 consistency, 70, 138, 174, 203 constant, 86, 284 test, 148 constructive L!1 ! , 305 context-free DL, 298 language simple-minded, 238 PDL, 230 program, 227, 230 set of seqs, 151 continuity, 11, 17, 417 *- (star-), See *-continuity of <> in presence of converse, 179 contraposition, 136 converse, 7, 10, 177, 203, 270 Cook's theorem, 57 correctness partial, See partial correctness speci cation, 152 total, See total correctness countable, 16 ordinal, See ordinal countably in nite, 16 counter automaton, See automaton counter machine, See Turing machine CRPDL, 274 currying, 25, 142 dag, 13 De Morgan law, 83, 137 in nitary, 123, 143 decidability, 37, 42 of PDL, 191, 199 of propositional logic, 75 deduction theorem, 79, 209 rst-order, 111{112 in nitary, 124 deductive consequence, 70 deductive system, 67 01 , 43 0n , 43 11 , 45, 51 PDL, 272 dense, 6, 120 descriptive set theory, 64
451
deterministic Kripke frame, 259 semantically, 188, 259 while program, 147 diagonalization, 38, 63 diamond automaton, 247 operator, 166, 398 dierence sequence, 250 directed graph, 13 disjunctive normal form, 83 distributivity, 83 in nitary, 123, 143 divergence-closed, 350 DL, See Dynamic Logic concurrent, 393 DN, 77 domain, 88, 105 of a function, 9 of computation, 145, 283, 291 double negation, 77, 83, 136 double-exponential time, 39 DPDL, 260 DSPACE , 39 DTIME , 39 duality, 135{136, 166, 172 duplicator, 119 DWP, 259 dyadic, 6 dynamic formula, 383 term, 383 dynamic algebra, 389{391 *-continuous, 390 separable, 390 Dynamic Logic, 133 axiomatization, 329 basic, 284 context-free, 298 poor test, 148, 284 probabilistic, 391 rich test, 148, 285, 286 of r.e. programs, 304 edge, 13 eective de nitional scheme, 397 EFQ, 78 Ehrenfeucht{Frasse games, 119{120 emptiness problem for PTA, 243 empty relation, 6 sequence, 3
MIT Press Math7X9/2000/06/30:10:36 Page 452
452
set, 4 string, 3 endogenous, 157, 398 enumeration machine, 63 epimorphism, 90 equal expressive power, 304 equality symbol, 284 equation, 88 equational logic, 86{102 axiomatization, 99 equational theory, 91 equationally de ned class, See variety equivalence class, 9 of Kripke frames, 132 of logics, 304, 380 relation, 6, 8{9 eventuality, 402 excluded middle, 136 exogenous, 157 expanded vocabulary, 318 exponential time, 39 expressive structure, 334 expressiveness of DL, 353 relative, 343, 378 over N, 308 EXPSPACE , 40 EXPTIME , 40 fairness, 290 lter, 138 ltration, 191, 195{201, 273 for nonstandard models, 199{201, 204 nitary, 17 nite automaton, 131, 266 branching, 65 intersection property, 81 model property, See small model property model theorem, See small model theorem satis ability, 81, 115 variant, 293 rst-order logic, See predicate logic spectrum, 325 test, 380 vocabulary, 283 Fischer{Ladner closure, 191{195, 267 xpoint, 18
Index
forced win, 119 formal computation, 356 formula, 283 atomic, 284 DL, 286, 297 dynamic, 383 rst-order, 103 Horn, 88 positive in a variable, 416 free, 97 algebra, 97{99 Boolean algebra, 137 commutative ring, 98 for a variable in a formula, 104 monoid, 98 occurrence of a variable, 104 in DL, 329 variable, 105 vector space, 99 function, 9{10 patching, 10, 105, 106, 292 projection, 4 Skolem, 142 symbol, 283 functional composition, See composition fusion of traces, 409 Galois connection, 25 game, 48 generalization rule, 111, 173, 203 generate, 89 generating set, 89 graph, 13 directed, 13 greatest lower bound, See in mum ground term, 87, 103 guarded command, 167, 187 guess and verify, 34, 40 halt, 30 halt, 272, 386 halting problem, 37, 55 for IND programs, 65 over nite interpretations, 322 undecidability of, 63 hard dag, 371 hardness, 57 Herbrand-like state, 317, 349 Hilbert system, 69 Hoare Logic, 133, 156, 186 homomorphic image, 90 homomorphism, 76, 89
MIT Press Math7X9/2000/06/30:10:36 Page 453
Index
453
canonical, 96 Horn formula, 88, 140 in nitary, 140 HSP theorem, 100{102 hyperarithmetic relation, 50 hyperelementary relation, 50, 51
irre exive, 6 isomorphism, 90 local, 119 iteration operator, xiv, 164, 181, 390
ideal of a Boolean algebra, 138 of a commutative ring, 95 idempotence, 83 in nitary, 143 identity relation, 7, 88 image of a function, 10 IND, 45{51, 64 independence, 16 individual, 88 variable, 284, 286 induction axiom PDL, 173, 182, 183, 201 Peano arithmetic, 174, 183 principle, 12, 13 for temporal logic, 401 trans nite, 14 structural, 12, 157 trans nite, 12, 15{16, 117 well-founded, 12{13 inductive assertions method, 399, 401 de nability, 45{53, 64 relation, 49, 51 in mum, 13 in nitary completeness for DL, 341 in nitary logic, 120{127 in nite descending chain, 24 in x, 87 initial state, 293, 304, 317 injective, 10 input variable, 147 input/output pair, 168, 291 relation, 147, 169, 287, 293 speci cation, 153, 154 intermittent assertions method, 398, 402 interpretation of temporal operators in PL, 409 interpreted reasoning, 307, 333 intuitionistic propositional logic, 79, 136 invariant, 399, 401 invariant assertions method, 157, 401 inverse, 10 IPDL, See PDL with intersection
K, 77 k-counter machine, See Turing machine k-fold exponential time, 39 k-neighborhood, 371 KA, See Kleene algebra KAT, See Kleene algebra with tests kernel, 90 Kleene algebra, 389, 418 *-continuous, 390, 419 typed, 423 with tests, 421 Kleene's theorem, 51, 63, 64 Knaster{Tarski theorem, 20{22, 37, 416 Konig's lemma, 61, 65, 387, 388 Kripke frame, 127, 167, 291, 292 nonstandard, 199, 204, 205, 210, 211
join, 11
LOGSPACE , 39 L-trace, 356 language, 67{68 rst-order DL, 283 lattice, 13, 92 complete, 13 LDL, 386 leaf, 50 least xpoint, 49, 415, 416 least upper bound, 11 LED, 397 legal computation, 365 lexicographic order, 23 limit ordinal, See ordinal linear order, See total order recurrence, 255, 257 linear-time TL, 398 literal, 82 liveness property, 402 local automaton, 244 isomorphism, 119 logarithmic space, 39
MIT Press Math7X9/2000/06/30:10:36 Page 454
454
logic, 67 Logic of Eective De nitions, 397 logical consequence, 69, 91, 106, 172 in PDL, 209, 216, 220{224 logical equivalence, 106, 163 L!1 ! , 120, 142, 305 constructive, 305 L!1ck ! , 120, 142, 304, 305 L!! , See predicate logic loop, 30 -free program, 385 invariance rule, 182, 184, 201 loop, 272, 386 Lowenheim{Skolem theorem, 116{117, 302 downward, 116, 122, 126 upward, 116, 122, 142, 346 lower bound for PDL, 216{220 LPDL, 272
m-state, 317 many-one reduction, 53 maximal consistent set, 204 meaning, See semantics function, 167, 291 meet, 13 membership problem, 37, 55 meta-equivalence, 3 meta-implication, 3, 73 method of well-founded sets, 402 min,+ algebra, 420 modal logic, xiv, 127{134, 164, 167, 191 modal -calculus, See -calculus modality, 130 model, 68, 106 nonstandard, 384 model checking, 199, 202, 211 for the -calculus, 418 model theory, 68 modus ponens, 77, 111, 173, 203 monadic, 6 mono-unary vocabulary, 319 monoid, 92 free, 98 monomorphism, 90 monotone, 11, 17 Boolean formula, 135 monotonicity, 416 MP, 77 mth spectrum, 320 operator, 415
Index
-calculus, 271, 415, 417 multimodal logic, 130{132 multiprocessor systems, 406 n-ary function symbol, 86 relation, 6 n-con guration, 370 n-pebble game, 120, 370 natural chain, 318, 325 natural deduction, 69 NDL, 384, 394 necessity, 127 neighborhood, 371 NEXPSPACE , 40 NEXPTIME , 40 next con guration relation, 29 nexttime operator, 398 NLOGSPACE , 39 nondeterminism, 63, 151, 158 binary, 377 unbounded, 377 nondeterministic assignment, See wildcard assignment choice, xiv, 175 program, 133 Turing machine, See Turing machine while program, 285 nonstandard Kripke frame, 199, 204, 205, 210, 211 model, 384 Nonstandard DL, 384{386, 394 normal subgroup, 95 not-con guration, 36 not-state, 36 NP , 40, 57 -completeness, 57, 220 -hardness, 57 NPSPACE, 39 NPTIME, 39 NTIME , 39 nullary, 6 array variable, 292 function symbol, 86 number theory, 103, 140 second-order, 45 occurrence, 104 !-automaton, 266 !1ck , 50 one-to-one, 10 correspondence, 10
MIT Press Math7X9/2000/06/30:10:36 Page 455
Index
onto, 10 or-con guration, 35 oracle, 41 Turing machine, See Turing machine ord, 50, 124 ordinal, 14 countable, 50 limit, 14, 15 recursive, 45 successor, 14, 15 trans nite, 13{15 output variable, 147 P , 40 p-sparse, 367 P =NP problem, 40, 76 pairing function, 142 parameterless recursion, 227, 290 parentheses, 72, 166 partial correctness, 154 assertion, 133, 167, 187, 313, 316, 325, 385 order, 6, 10{12 strict, 6, 11 partition, 9 path, 50, 132 PDL, 163{277 automata, 267 concurrent, 277 poor test, 263 regular, 164 rich test, 165, 263 test-free, 264 with intersection, 269 PDL(0) , 224 Peano arithmetic induction axiom of, 174 pebble game, 120, 370 Peirce's law, 136 01 , 43 0n , 43 11 , 45, 51, 126 -completeness, 222 PL, See Process Logic polyadic, 369 polynomial, 98 space, 39 time, 39 poor test, 148, 263, 284 vocabulary, 319 positive, 49
455
possibility, 127 postcondition, 154 post x, 87 precedence, 72, 103, 166 precondition, 154 predicate logic, 102{119 predicate symbol, 283 pre x, 87 pre xpoint, 18 premise, 70 prenex form, 45, 109 preorder, 6, 10 probabilistic program, 391{393 Process Logic, 408 product, 100 program, 145, 283, 287 atomic, 147, 283, 284 DL, 284 loop-free, 385 operator, 147 probabilistic, 391{393 r.e., 287, 296 regular, 148, 169, 285 schematology, 311 scheme, 302 simulation, 347 uniformly periodic, 365 variable, 286 while, 149 with Boolean arrays, 380 programming language semi-universal, 349 projection function, 4 proof, 70 proper class, See class proposition, 72 propositional formula, 72 logic, 71{86 intuitionistic, 136 operators, 71 satis ability, See satis ability Propositional Dynamic Logic, See PDL PSPACE , 39 PTIME , 39 pushdown k-ary !-tree automaton, 242 automaton, 227 store, See stack
MIT Press Math7X9/2000/06/30:10:36 Page 456
456
quanti er, 102 depth, 119 quasiorder, See preorder quasivariety, 140 quotient algebra, 96 construction, 96{97 Ramsey's theorem, 24 random assignment, See assignment range of a function, 9 RDL, 386 r.e., 30, 42, 63 in B, 41 program, 287, 296 reasoning interpreted, 307, 333 uninterpreted, 301, 327 recursion, 149, 289 parameterless, 227, 290 recursive, 30, 42 call, 149 function theory, 63 in B, 41 ordinal, 45, 50{51 tree, 50{51 recursively enumerable, See r.e. reducibility, 54 relation, 53{56, 63 reductio ad absurdum, 136 reduction many-one, 53 re nement, 6, 9 re exive, 6 re exive transitive closure, 8, 20, 47, 182, 183, 200 refutable, 70 regular expression, 164, 169, 190 program, 148, 169, 285 with arrays, 288 with Boolean stack, 364 with stack, 289 set, 170, 420 reject con guration, 35 rejection, 28, 30 relation, 5 binary, 6{8 empty, 6 hyperarithmetic, 50 hyperelementary, 50, 51
Index
next con guration, 29 reducibility, 53{56, 63 symbol, 283 universal, 45 well-founded, See well-founded relational composition, See composition structure, 105 relative completeness, 341 computability, 40{41 expressiveness, 343, 378 over N, 308 repeat, 272, 386 representation by sets, 76{77 resolution, 69 rich test, 148, 165, 263, 285, 286 vocabulary, 319 ring, 92 commutative, 92 RPDL, 272 rule of inference, 69 run, 386 Russell's paradox, 5 S, 77 safety property, 401 satisfaction equational logic, 90 rst-order, 106 PDL, 168 propositional, 74 relation, 106 TL, 400 satis ability algorithm for PDL, 191, 213 Boolean, See satis ability, propositional DL, 297, 298 nite, 81 modal logic, 128 PDL, 171, 191, 211 propositional, 57, 74, 76, 129, 220 scalar multiplication, 390 schematology, 302, 347, 378 scope, 104 SDPDL, 224, 260 second-order number theory, 45 Segerberg axioms, See axiomatization, PDL semantic determinacy, 188, 259
MIT Press Math7X9/2000/06/30:10:36 Page 457
Index
semantics, 67, 68 abstract programs, 344 DL, 291{298 equational logic, 88 in nitary logic, 120 modal logic, 127 multimodal logic, 131 PDL, 167{170 predicate logic, 105{109 with equality, 115 propositional logic, 73{74 semi-universal, 349, 350 semigroup, 92 semilattice, 13, 92 sentence, 69, 105 separable dynamic algebra, See dynamic algebra seq, 150, 170, 287 sequent, 69 sequential composition, See composition set operator, 16{22 -algebra, 88 01 , 43 0n , 43 signature, See vocabulary simple assignment, See assignment simple-minded context-free language, 238, 256 pushdown automaton, 238 simulation, 37, 347 Skolem function, 142 Skolemization, 142 SkS, 229 small model property, 191, 198, 227 theorem, 198, 211 soundness, 70 equational logic, 99{100 modal logic, 128 PDL, 172, 174 SPDL, 260 speci cation correctness, 152 input/output, 153, 154 spectral complexity, 317, 321, 322 theorem, 353, 379 spectrum, 379 rst-order, 325 mth , 320 of a formula, 320
457
second-order, 325 spoiler, 119 stack, 149, 288, 289 algebraic, 290 automaton, 249 Boolean, 290 con guration, 243 higher-order, 325 operation, 289 standard Kripke frame, 390 * operator, See iteration operator *-continuity, 419 *-continuous dynamic algebra, See dynamic algebra *-continuous Kleene algebra, See Kleene algebra start con guration, 29 state, 127, 146, 167, 291, 293, 400 Herbrand-like, 317, 349 initial, 293, 304, 317 m-, 317 static logic, 304 stored-program computer, 37 strict partial order, 6, 11 strictly more expressive than, 229, 304 strongly r-periodic, 365 structural induction, See induction structure, 68 acceptable, 311 Adian, 365 arithmetical, 308 expressive, 334 p-sparse, 367 relational, 105 treelike, 261, 262, 355, 367 subalgebra, 89 generated by, 89 subexpression relation, 191 substitution, 90 in DL formulas, 329 instance, 90, 222 operator, 105, 106 rule, 84, 138 succession, 370 successor ordinal, See ordinal supremum, 11 surjective, 10 symbol atomic, 164 constant, 284 equality, 284
MIT Press Math7X9/2000/06/30:10:36 Page 458
458
function, 283 predicate, 283 relation, 102, 283 symmetric, 6 syntactic continuity, 416 interpretation, 89 monotonicity, 416 syntax, 67 tableau, 69 tail recursion, 150 tautology, 74, 129 in nitary, 142 Temporal Logic, 133, 157, 398 branching-time, 133 linear-time, 133 temporal operators, 401 interpretation in PL, 409 term, 87, 103 algebra, 89 dynamic, 383 ground, 87, 103 termination, 166, 356 assertion, 327 properties of nite interpretations, 351 subsumption, 348, 379 ternary, 6 function symbol, 86 test, 147, 175 -free, 264 atomic, 147 rst-order, 380 operator, xiv, 165, 284 poor, See poor test rich, See rich test theorem, 70 theory, 69 tile, 58 tiling problem, 58{63, 117, 126, 222 time model, 385 time-sharing, 42, 53 TL, See temporal logic topology, 81 total, 30 correctness, 155, 271, 327 assertion, 313 order, 6, 11 trace, 146 in PL, 409 L-, 356
Index
quanti er, 406 trans nite induction, See induction ordinal, See ordinal transition function, 28 transitive, 6 closure, 8, 19 set, 14 transitivity, 192 of implication, 78 of reductions, 54 translatability, 347 trap, 366 tree, 50 model, 143, 239 model property, 239 structure, 239 well-founded, 50 tree-parent, 371 treelike structure, 132, 261, 262, 355, 367 truth, 106 assignment, 74 table, 134 value, 73, 74 Turing machine, 27{37, 63 alternating, 34{37, 46, 216, 225 with negation, 36{37 deterministic, 28 nondeterministic, 33{34 oracle, 40{42 universal, 37, 63 with k counters, 32{33 with two stacks, 31{32 typed Kleene algebra, See Kleene algebra UDH tree, 241 ultra lter, 138 unary, 6 function symbol, 86 unbounded nondeterminism, 377 undecidability, 37, 42 of predicate logic, 117{119 of the halting problem, 63 uniform periodicity, 365 simulation, 37 uninterpreted reasoning, 301, 327 unique diamond path Hintikka tree, See UDH tree universal closure,
MIT Press Math7X9/2000/06/30:10:36 Page 459
Index
See closure formula, 141 model, 208, 211 relation, 7, 45 Turing machine, See Turing machine universality problem, 62 universe, 127 until operator, 405 unwind property, 344, 379 unwinding, 132 upper bound, 11 least, 11 upper semilattice, 13 upward periodic, 365 use vs. mention, 73
validity, 69 A-, 297 DL, 297, 298, 313 equational logic, 91 rst-order, 106 modal logic, 128 PDL, 171 propositional, 74 valuation, 90, 105, 146, 283, 291, 292 value of a function, 9 variable, 145 array, 288 individual, 87, 284, 286 program, 286 work, 147 variety, 92 vector space, 93 veri cation conditions, 333 vertex, 13 vocabulary, 86 expanded, 318 rst-order, 102, 283 monadic, 369 mono-unary, 319 polyadic, 369 poor, 319 rich, 319 weakening rule, 156, 186 well order, 6 well ordering principle, 16 well partial order, 12 well quasiorder, 12 well-founded, 6, 11, 121, 271, 402 induction, See induction relation, 12, 48
459
tree, 50 well-foundedness, 386{389 wf , 272, 386 while loop, 167, 260 operator, 148 program, 149, 259 deterministic, 285 nondeterministic, 285 with arrays, 288 with stack, 289 rule, 156, 186 wildcard assignment, See assignment work variable, 147 world, 127 WP, 260 Zermelo's theorem, 16 Zermelo{Fraenkel set theory, 4, 16 ZF, 16 ZFC, 4, 16 Zorn's lemma, 16, 138